Snort mailing list archives
Portscan signatures
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Wed, 12 Feb 2003 13:42:41 -0600
Hi, I haven't found this is the archives, so I apologize if this is a duplicate. Has anyone noticed that even after deleting events, you have a lot of portscan signatures clogging up the signature table? Normally, you wouldn't care if a signature stayed in the database after deleting the associated alert(s), but with portscans each one is unique to source, # of targets, # of ports, and # of seconds. I just checked mine and I have 3185 "bogus" signatures now after only a couple months. Is there a mechanism for cleaning these up someone has alraedy done? Ron Shuck, CISSP
Current thread:
- Portscan signatures Ron Shuck (Feb 12)
- <Possible follow-ups>
- Portscan signatures Ron Shuck (Feb 12)