Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » Thresholding and supression of alerts

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Thresholding and supression of alerts


Posted by mishka on March 20, 2005 03:46:48

I cannot threshold or supress portscan events.
How do I get the real sid of the portscanning events?

I have tried 3,27,19,1 etc. and still I see the events acumulating.

Posted by Asha2442004 on April 26, 2005 03:57:47

Hi,
I too were receving lot of portscan and portsweep messages. This seems to do something with the sfPortscan pre-processor. If you are sure about the IPs then you can simply add the parameters "ignore_scanners" and/or "ignore_scanned" to the preprocessor sfportscan: line in your snort.conf file. Hope it helps.

-P

Posted by stucky on April 27, 2006 14:48:00

The problem with ignore_scanned is that now everything going to that host is ignored. I have 2 ldaps servers and I used to get tons of portscan alerts on port 636. I set the ignore_scanned option but I'm not sure that's the right thing to do since now if one of those hosts REALLY got portscanned snort would ignore it right ?
I want to only ignore the specific traffic that my ldap clients create but I'm not sure where to do that.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.