snort logging all outbound traffic as port-scan?
EDIT: After further digging, it occurs to me that configuring Snort is more like configuring Iptables than configuring Squid. I am going to have to write a conf file from scratch to fit our needs, as modifying the default snort.conf file is hopeless. God I hope it doesn't take as long as learning iptables scripting. :D
Revised Question: If I use the preprocessor flow_portscan for detection of portscans, do I still need preprocessor portscan? Or does the former replace the latter in terms of functionality? |
If I use the preprocessor flow_portscan for detection of portscans, do I still need preprocessor portscan? Or does the former replace the latter in terms of functionality?
IIRC in Snort-2.1.x conversation, portscan and portscan2 where replaced by flow-portscan. |
Cool, thanks Unspawn. Can you suggest a good book on Snort? I see that there are a number of them, some specific to Snort and some more focused on Snort with LAMP. I intend to use Snort for long-term network intrusion detection.
|
Can you suggest a good book on Snort?
Soz, I can't. I usually read online docs (when I got the time that is). |
All times are GMT -5. The time now is 05:10 PM. |