Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yet another spp_portscan2 question

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 6 Feb 2003 11:56:06 -0600 (CST)
If you only want portscan2 to activate given a src IP hitting multiple
destination hosts (rather than ports), then set the port limit to 65535 or
some other huge number.  That way, the port limit will (hopefully) never
me met, and you will be left looking at someone going 1 IP to many.

Hope that helps.
On Wed, 5 Feb 2003, Fialkowski, Joe wrote:


Hello List

 I have a question about spp_portscan2. And I don't think it has been
covered on this list. Forgive me if it has.

 Is there any way to log or alert only when a scan occurs on multiple
targets? I keep getting the message below when a user opens up a web page
with many images. I have already tried setting the port limit to 60 to
alleviate some of the chatter but still get a few hits from this
preprocessor. Any ideas are welcome

(spp_portscan2) Portscan detected from 192.118.72.15
<http://4dde4/acid_stat_ipaddr.php?ip=192.118.72.15&netmask=32>: 1 targets
61 ports in 32 seconds


Thanks in advance,

Joe


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: