Snort mailing list archives

Re: Portscan parameters

From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Tue, 1 Oct 2002 15:10:19 -0500 (CDT)

I use the 20 hits in 5 seconds as a threshold. I get very few
false positives.

        -g

On Tue, 1 Oct 2002, shadi Rostami wrote:

I was just wondering, what are the typical values for portscan threshold and
period.
In snort.conf, it seems to be 4 ports in 3 seconds.
Are these realistic numbers? Don't you get many false alarms if you set
these numbers? I myself was thinking of portscan as about 50 scans within a
second!



                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu



-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server 
today at http://www.ServePath.com/indexfm.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan parameters shadi Rostami (Oct 01)
- Re: Portscan parameters Glenn Forbes Fleming Larratt (Oct 01)
- Snort 1.9 flow keyword shadi Rostami (Oct 29)
  - Re: Snort 1.9 flow keyword Chris Green (Oct 29)
  - Re: Snort 1.9 flow keyword Brian (Nov 07)