Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portscan signatures

From: "Ron Shuck" <rshuck () Buchanan com>
Date: Wed, 12 Feb 2003 13:42:41 -0600
Hi,
 
I haven't found this is the archives, so I apologize if this is a duplicate.
 
Has anyone noticed that even after deleting events, you have a lot of portscan signatures clogging up the signature 
table? Normally, you wouldn't care if a signature stayed in the database after deleting the associated alert(s), but 
with portscans each one is unique to source, # of targets, # of ports, and # of seconds. I just checked mine and I have 
3185 "bogus" signatures now after only a couple months.
 
Is there a mechanism for cleaning these up someone has alraedy done?
 
 
Ron Shuck, CISSP
Previous By Date Next
Previous By Thread Next

Current thread: