Snort mailing list archives

RE: ids problems

From: Jasmine CHUA <Jasmine.Chua () internationalsos com>
Date: Thu, 22 Apr 2004 14:38:00 +0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Thanks for your reply. I have tried that before. But it still does not work.
:(



- -----Original Message-----
From: Guillaume Arcas [mailto:guillaume.arcas () free fr]
Sent: Thursday, April 22, 2004 13:17
To: Jasmine CHUA
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ids problems


Jasmine CHUA a dit :

Hi.

Problem 1)

Flow-Portscan works but not quite well for me. On Acid I only see the very
first portscan alert and thereafter, I don't get to see the next and the
next portscan alert on Acid. Its really weird. Right now, I can only see
all
the portscan alerts in syslog.

Here's my snort.conf:

preprocessor flow: stats_interval  hash 2
preprocessor flow-portscan: unique-memcap 5000000 unique-rows 50000
tcp-penalties on server-scanner-limit 4 server-watchnet $HOME_NET
alert-mode
once output-mode pktkludge


You have to change the alert mode from "once" (only log the first event)
to "all" (quite self-understanding...).

- -- 
Guillaume Arcas

- --------------------------------------------------
Il faut nous quitter. Nous sommes deux enfants,
nous avons fait une folie. (Yvonne de Galais)

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQIdoRv4wcdIw6CVjEQLAlACgoIsT+xw/qb9jVGiILvK+FVNG6mUAoMgL
pznXf7LRPjC3uimoFjMYVa9a
=HsnY
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ids problems Jasmine CHUA (Apr 21)
- Re: ids problems Guillaume Arcas (Apr 22)
- <Possible follow-ups>
- RE: ids problems Jasmine CHUA (Apr 22)
  - RE: ids problems Guillaume Arcas (Apr 22)
- RE: ids problems Jasmine CHUA (Apr 22)
  - RE: ids problems Guillaume Arcas (Apr 22)