[Snort-users] help: how to block the_scan when use snort3.0 for port scan detecting ？
rucombs at cisco.com
Mon Feb 11 09:33:04 EST 2019
Set alert_all = true and change your rule actions from alert to block:
$ snort --help-config port_scan | grep alert_all
bool port_scan.alert_all = false: alert on all events over threshold
within window if true; else alert on first only
On 2/11/19 2:19 AM, sofardware via Snort-users wrote:
> Hi all,
> I found the following words in snort3 user manual，but the
> manual does not say how to config the snort3 to realize blocking the
> scan？ Who can tell me how ？Thank you very much.
> 16.2 Features Improved over Snort 2
> port_scan can block scans (Snort 2 can only detect scans)
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> To unsubscribe, send an email to:
> snort-users-leave at lists.snort.org
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users