I suggest that you don't threshold these alerts. If you don't want
to see them at all, suppress them.
These are not "Errors", they are alerts of an Open Port Detection
through the sfportscan preprocessor. Check out the documentation on
both the preprocessor and Suppression in the Snort manual.
You also might want to check out the Snort-Users list.
Joel
On Nov 30, 2005, at 2:13 PM, phunked up! wrote:
I am trying to get rid of the errors of: "(portscan) Open Port" in my
Snort logs. They are filling it up quite fast. I have put a line in
the threshold.conf file and enabled that file in the snort.conf file
but that has done nothing so far.
Setup is Centos/MySQL/Snort/BASE. Any advice would be much
appreciated.
Thanks!
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708
to learn more.
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
