snort logging all outbound traffic as port-scan?

Pcghost · 04-19-2004, 12:38 PM

EDIT: After further digging, it occurs to me that configuring Snort is more like configuring Iptables than configuring Squid. I am going to have to write a conf file from scratch to fit our needs, as modifying the default snort.conf file is hopeless. God I hope it doesn't take as long as learning iptables scripting.

Revised Question:

If I use the preprocessor flow_portscan for detection of portscans, do I still need preprocessor portscan? Or does the former replace the latter in terms of functionality?

unSpawn · 04-20-2004, 01:45 AM

If I use the preprocessor flow_portscan for detection of portscans, do I still need preprocessor portscan? Or does the former replace the latter in terms of functionality?
IIRC in Snort-2.1.x conversation, portscan and portscan2 where replaced by flow-portscan.

Pcghost · 04-20-2004, 11:40 AM

Cool, thanks Unspawn. Can you suggest a good book on Snort? I see that there are a number of them, some specific to Snort and some more focused on Snort with LAMP. I intend to use Snort for long-term network intrusion detection.

unSpawn · 04-20-2004, 01:12 PM

Can you suggest a good book on Snort?
Soz, I can't. I usually read online docs (when I got the time that is).