Snort mailing list archives
flow-portscan really suitable ???
From: BIZOU <bizou () voila fr>
Date: Thu, 4 Mar 2004 17:09:30 +0100 (CET)
Hi, I've been working on snort 2.1.1 for a few days. I was previously with snort 2.0.5. I had to change my portscan2 configuration into flow-portscan and ... well i dislike it Indeed, i tuned my portscan2 preprocessor with scanner-max 256, target_max 1024, target_limit 30, port_limit 40, timeout 40 and it was quite fine. I used portscan2-ignorehost and ignore-port too. I catched MydoomB scans, Blaster.C or B (don't remember) scans, nmap scan.... Now with flow-portscan, i have nothing except flase positive scans I'm managing 6 NIDS in a wide environment so i cannot define a HOME_NET or wathever defined variable When i watched at my prelude reporting GUI this morning (i use a prelude framework for alerting) i only saw false scan alerts. I tried to configure flow-portscan in several way, i cannot succeed in having correct results So please, 1 - tell me that it wil be possible again to use portscan2 in future releases 2 - Tell me a way to configure correctly and simply flow-portscan (without a learning time ) 3 - Tell me a way to add flow-portscan ignore port from 4 - Tell me that destination port will be present in pktkludge soon ------------------------------------------ Faites un voeu et puis Voila ! www.voila.fr ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flow-portscan really suitable ??? BIZOU (Mar 04)
- <Possible follow-ups>
- RE: flow-portscan really suitable ??? Douglas McCrea (Mar 04)
- Re: RE: flow-portscan really suitable ??? BIZOU (Mar 04)
- RE: RE: flow-portscan really suitable ??? Douglas McCrea (Mar 04)
- Re: RE: RE: flow-portscan really suitable ??? BIZOU (Mar 05)
- Re: RE: RE: flow-portscan really suitable ??? Jeremy Hewlett (Mar 05)