[Snort-users] Nmap -sT detection

waldo kitty wkitty42 at ...14940...
Thu Jul 24 15:09:55 EDT 2014


On 7/24/2014 2:10 AM, Meysam Farazmand wrote:
> Hello all,
>
> As you know, in nmap, when we use -sT switch and set timing template to paranoid
> or polite, it's impossible for snort to detect port scan. So i have an idea. In
> snort rules,If we could say for example when more than five port accessed by one
> host in 1 hour, trigger an alert. So i wanted to know if it's possible to
> implement this idea in snort rules?

seems that thresholding via threshold.conf or in-rule detection_filter would be 
where you would look... here's a link to detection_filter

http://manual.snort.org/node538.html

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list