Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ids problems

From: "Guillaume Arcas" <guillaume.arcas () free fr>
Date: Thu, 22 Apr 2004 07:16:38 +0200 (CEST)
Jasmine CHUA a dit :

Hi.


Problem 1)

Flow-Portscan works but not quite well for me. On Acid I only see the very
first portscan alert and thereafter, I don't get to see the next and the
next portscan alert on Acid. Its really weird. Right now, I can only see
all
the portscan alerts in syslog.

Here's my snort.conf:

preprocessor flow: stats_interval  hash 2
preprocessor flow-portscan: unique-memcap 5000000 unique-rows 50000
tcp-penalties on server-scanner-limit 4 server-watchnet $HOME_NET
alert-mode
once output-mode pktkludge


You have to change the alert mode from "once" (only log the first event)
to "all" (quite self-understanding...).

-- 
Guillaume Arcas

--------------------------------------------------
Il faut nous quitter. Nous sommes deux enfants,
nous avons fait une folie. (Yvonne de Galais)


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: