Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] No clue?

from [Briggs, Bruce] Network Security [Permanent Link]
Subject: RE: [Snort-users] No clue?
Date: Tue, 15 Nov 2005 16:38:07 -0500 
Did you comment out the lines following the    preprocessor sfportscan
line?
                        memcap { 10000000 } \
                        sense_level { low } 


A few lines about    preprocessor sfportscan  is a description of
ignore_scanners 

Bruce

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of John
Friedman
Sent: Tuesday, November 15, 2005 2:47 PM
To: snort
Subject: Re: [Snort-users] No clue?

Thank you for your reply.  If I comment out 
# preprocessor sfportscan:
the snort service can not be started.  Also, what's
the syntax to ignore this host from sf portscan?

Thansk for your help,

John

--- Matt Kettler <mkettler@evi-inc.com> wrote:


John Friedman wrote:

Hi all,
 
Since I did not get any reply on this, is there

any way to suppress or

pass this alert?
 


Suggestion: look at the ignorehosts option for
portscan.

Pass definitely will not work. Since pass is a rule,
it can only work if the
offending traffic is matching a rule.

You might be able to suppress it, but you'd probably
wind up having to suppress
all portscans...

It's generally best to configure your portscan
plugins properly in the first
place. Actually, if you're monitoring an internal
LAN, you'll probably just want
to turn it off or turn the thresholds way up.





                
__________________________________ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] No clue?, John Friedman
Next by Date:  Re: [Snort-users] No clue?, John Friedman
Previous by Thread:  RE: [Snort-users] No clue?, John Friedman
Next by Thread:  RE: [Snort-users] No clue?, John Friedman
Indexes:  [Date] [Thread] [Top] [All Lists]