[Snort-users] help: how to block the_scan when use snort3.0 for port scan detecting ?

Russ rucombs at cisco.com
Mon Feb 11 09:33:04 EST 2019


Set alert_all = true and change your rule actions from alert to block:

$ snort --help-config port_scan | grep alert_all
bool port_scan.alert_all = false: alert on all events over threshold 
within window if true; else alert on first only

On 2/11/19 2:19 AM, sofardware via Snort-users wrote:
>       Hi all,
>       I found the following words in snort3 user manual,but the 
> manual  does not say how to config the snort3 to realize blocking the 
> scan? Who can tell me how ?Thank you very much.
>       16.2 Features Improved over Snort 2
>               port_scan can block scans (Snort 2 can only detect scans)
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190211/38c402d4/attachment.html>


More information about the Snort-users mailing list