<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"Segoe UI";
        panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
        {font-family:"Segoe UI Light";
        panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Yes,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I'm familiar with this manuals but it still not good enough , in addition  I can't configure src and dst  both for suppression    <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Izik Birka<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Y M [mailto:snort@...15979...]
<br>
<b>Sent:</b> Sunday, February 21, 2016 5:43 PM<br>
<b>To:</b> Izik Birka <Izik.Birka@...17456...><br>
<b>Cc:</b> snort-users@lists.sourceforge.net<br>
<b>Subject:</b> Re: [Snort-users] sfPortscan - false positive<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div id="divtagdefaultwrapper">
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">For thresholding, check this: <a href="http://manual.snort.org/node35.html" id="LPlnk636674">http://manual.snort.org/node35.html</a><o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">For suppression check this:
<a href="http://manual.snort.org/node207.html" id="LPlnk719296">http://manual.snort.org/node207.html</a><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">As you will note, these do not operate at the port level, its a combination of sid / gid / src or dst IP.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">YM<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-family:"Calibri",sans-serif;color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Izik Birka <<a href="mailto:Izik.Birka@...17460....">Izik.Birka@...17456...</a>><br>
<b>Sent:</b> Sunday, February 21, 2016 3:35 PM<br>
<b>To:</b> Y M<br>
<b>Cc:</b> <a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>
<b>Subject:</b> RE: [Snort-users] sfPortscan - false positive</span><span style="font-family:"Calibri",sans-serif;color:black">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">This is my configuration</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"># </span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Portscan detection</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>. 
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">For more information, see README.sfportscan</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">preprocessor sfportscan: proto</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>  {
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">all</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> } \</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">                          </span>
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">memcap { 10000000</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> } \</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">                          </span>
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">sense_level { low</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> } \</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">                          </span>
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">ignore_scanners { IP,IP,IP</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> } \</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">                          </span>
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">ignore_scanned { IP,IP/24,IP,IP/24, IP,IP,IP</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> } \</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">                               
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">scan_type { portscan</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> }</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">as you can see I configured scan_type</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>  </span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">and
 I start to Exclude IPs than I realize that it's going to be a hard work so I stast searching for better solution</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> ,</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">what can I configured in the thresholding file</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> ?
</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I want for example to receive alert for 10 ports attempted scanned</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>
  </span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">or more per ip – this will reduce a lot of my alerts</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>…
  </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Y M [<a href="mailto:snort@...15979...">mailto:snort@...15979...</a></span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>]
<br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Sent</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Sunday, February 21, 2016 4:33 PM</span><span lang="HE" style="font-size:11.0pt;color:black"><br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">To</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Izik Birka</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span> <</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:Izik.Birka@...17456..."><span dir="LTR">Izik.Birka@...17456...</span></a></span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>><br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Cc</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:snort-users@lists.sourceforge.net"><span dir="LTR">snort-users@lists.sourceforge.net</span></a></span><span lang="HE" style="font-size:11.0pt;color:black"><br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Subject</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">RE: [Snort-users] sfPortscan - false positive</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"> <o:p></o:p></span></p>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">If you review the sfportscan configurations here</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>:
<a href="http://manual.snort.org/node79.html" id="LPlnk925365"><span lang="EN-US" dir="LTR" style="color:#0563C1">http://manual.snort.org/node79.html</span></a><span dir="RTL"></span><span dir="RTL"></span>,
</span><span dir="LTR" style="color:black">you can specify the scan type and the scan sensitivity, watch, and ignore. Portsweep is different than port scan, is just an example</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>.</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<div style="margin-bottom:15.0pt;overflow:auto" id="LPBorder_GT_14560691920520.38168473395548297">
<table class="MsoNormalTable" border="1" cellspacing="0" cellpadding="0" width="90%" style="width:90.0%;background:white;border-top:dotted #C8C8C8 1.0pt;border-left:none;border-bottom:dotted #C8C8C8 1.0pt;border-right:none">
<tbody>
<tr>
<td valign="top" style="border:none;padding:0cm 0cm 0cm 0cm">
<div id="LPTitle_14560691920500.9508903821397405">
<p class="MsoNormal" style="margin-top:15.0pt;mso-line-height-alt:15.75pt"><span style="font-size:16.0pt;font-family:"Segoe UI Light",sans-serif;color:#17234E"><a href="http://manual.snort.org/node79.html" target="_blank"><span style="text-decoration:none">sfPortscan
 Configuration - SNORT Users Manual 2.9.7</span></a></span><span lang="HE" dir="RTL" style="font-size:16.0pt;color:#17234E"><o:p></o:p></span></p>
</div>
<div style="margin-top:7.5pt;margin-bottom:12.0pt" id="LPMetadata_14560691920500.0640344261610345">
<p class="MsoNormal" style="margin-top:15.0pt;line-height:10.5pt"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#666666">manual.snort.org<o:p></o:p></span></p>
</div>
<div id="LPDescription_14560691920510.4820954732736106">
<p class="MsoNormal" style="margin-top:15.0pt;line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#666666">Format Up: sfPortscan Previous: sfPortscan Contents sfPortscan Configuration. Use of the Stream5 preprocessor is
 required for sfPortscan. Stream gives portscan ...<o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span> </span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">YM</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">Sent from Mobile</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<p dir="RTL" style="margin-bottom:12.0pt;text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"><o:p> </o:p></span></p>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">On Sun, Feb 21, 2016 at 6:28 AM -0800</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>, "</span><span dir="LTR" style="color:black">Izik Birka</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>"
 <<a href="mailto:Izik.Birka@...17456..." target="_blank"><span lang="EN-US" dir="LTR" style="color:#0563C1">Izik.Birka@...17456...</span></a><span dir="RTL"></span><span dir="RTL"></span>>
</span><span dir="LTR" style="color:black">wrote</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>:</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">How this data can help me ? if I can't change the ratio</span><span dir="RTL"></span><span style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>
</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I continue to get false positive alerts</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Is there any way to configure the number of scanning attempt and the time period for alert to show</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>
 ?</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In the past the command was bit different and I was able to configure it</span><span dir="RTL"></span><span style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span>
</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Example</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#1F497D"><span dir="RTL"></span> :
</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Preprocessor portscan: 192.168.1.0/24 10 60</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">10 </span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">is the number of scanning attempt</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D">60 </span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">is time period</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Izik Birka</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Y M</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span> [<a href="mailto:snort@...15979..."><span lang="EN-US" dir="LTR" style="font-family:"Calibri",sans-serif;color:#0563C1">mailto:snort@...15979...</span></a><span dir="RTL"></span><span dir="RTL"></span>]
<br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Sent</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Sunday, February 21, 2016 4:20 PM</span><span lang="HE" style="font-size:11.0pt;color:black"><br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">To</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Izik Birka</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span> <<a href="mailto:Izik.Birka@...17456..."><span lang="EN-US" dir="LTR" style="font-family:"Calibri",sans-serif;color:#0563C1">Izik.Birka@...17456...</span></a><span dir="RTL"></span><span dir="RTL"></span>><br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Cc</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
<a href="mailto:snort-users@lists.sourceforge.net"><span lang="EN-US" dir="LTR" style="font-family:"Calibri",sans-serif;color:#0563C1">snort-users@lists.sourceforge.net</span></a><br>
</span><b><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Subject</span></b><span dir="RTL"></span><b><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span>:</span></b><span lang="HE" style="font-size:11.0pt;color:black">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Re: [Snort-users] sfPortscan - false positive</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"> <o:p></o:p></span></p>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">I believe they refer to the data generated by the preprocessor. Review the distribution of the data points mentioned. I am not on a computer to verify</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>.</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">YM</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">Sent from Mobile</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"> <o:p></o:p></span></p>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="color:black">On Sun, Feb 21, 2016 at 3:20 AM -0800</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>, "</span><span dir="LTR" style="color:black">Izik Birka</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>"
 <<a href="mailto:Izik.Birka@...17456..." target="_blank"><span lang="EN-US" dir="LTR" style="color:#0563C1">Izik.Birka@...17456...</span></a><span dir="RTL"></span><span dir="RTL"></span>>
</span><span dir="LTR" style="color:black">wrote</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>:</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Hi</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">I'm trying to tune PortScan false Positive I found this explanation in snort site</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:#333333;background:#F2F2F2"> </span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Helvetica",sans-serif;color:#333333;background:#F2F2F2">Make use of the Priority Count, Connection Count, IP Count, Port Count, IP range, and Port range to determine false positives</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:#333333;background:#F2F2F2"><span dir="RTL"></span>.</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"> <o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">But I didn't understand where I can change those values</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span> ,
<o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"> <o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Who knows</span><span dir="RTL"></span><span lang="HE" style="font-size:11.0pt;color:black"><span dir="RTL"></span> ?<o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="font-size:11.0pt;color:black"> <o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Thanks</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Izik Birka</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"><br>
</span><span dir="LTR" style="color:black">This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary,
 privileged, confidential, and exempt</span><span dir="RTL"></span><span style="color:black"><span dir="RTL"></span>
</span><span dir="LTR" style="color:black">from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.
 If you have received this communication by</span><span dir="RTL"></span><span style="color:black"><span dir="RTL"></span>
</span><span dir="LTR" style="color:black">error, notify the sender immediately and delete this message immediately. Thank you</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>.
</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
</div>
<p dir="RTL" style="text-align:right;background:white;direction:rtl;unicode-bidi:embed">
<span lang="HE" style="color:black"><br>
</span><span dir="LTR" style="color:black">This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary,
 privileged, confidential, and exempt</span><span dir="RTL"></span><span style="color:black"><span dir="RTL"></span>
</span><span dir="LTR" style="color:black">from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.
 If you have received this communication by</span><span dir="RTL"></span><span style="color:black"><span dir="RTL"></span>
</span><span dir="LTR" style="color:black">error, notify the sender immediately and delete this message immediately. Thank you</span><span dir="RTL"></span><span lang="HE" style="color:black"><span dir="RTL"></span>.
</span><span lang="HE" style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><br>
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt
 from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by
 error, notify the sender immediately and delete this message immediately. Thank you.
</span><span lang="HE" dir="RTL" style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<br>
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.
</body>
</html>