Snort mailing list archives

Previous By Date Next
Previous By Thread Next

preprocessor flow-portscan

From: Kevin Amorin <kevmcs11 () yahoo com>
Date: Wed, 28 Jan 2004 14:28:16 -0800 (PST)
Hello,
   I am trying to work out a base configuration for
flow-portscan.  

What I have currently is:

preprocessor flow: stats_interval 10 hash 2
preprocessor flow-portscan: unique-memcap 5000000 \
             unique-rows 50000 \
             tcp-penalties on \
             server-scanner-limit 5000 \
             scanner-sliding-threshold 12 \
             scanner-fixed-threshold 2 \
             scanner-sliding-window 30 \
             scanner-fixed-window 60 \
             talker-fixed-threshold  12 \
             talker-sliding-threshold  12 \
             talker-fixed-window  60 \
             talker-sliding-window  30 \
             alert-mode all \
             output-mode msg


This config will generate an alert but will not alert
twice with the same host.  
   I would like to alert every 60 seconds if the
internal hosts are port scanning external subnets.   I
am not using the server-*  options, lowering the
thresholds and sliding-windows but to no avail.  Any
help is appreciated,



Thanks
Kevin




__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: