> -----Original Message----- > From: phunked up! [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 30, 2005 2:14 PM > To: [email protected] > Subject: Snort rules setup. > > I am trying to get rid of the errors of: "(portscan) Open > Port" in my Snort logs. They are filling it up quite fast. > I have put a line in the threshold.conf file and enabled that > file in the snort.conf file but that has done nothing so far. > > Setup is Centos/MySQL/Snort/BASE. Any advice would be much > appreciated. > > Thanks! >
Instead of using threshold.conf I used some suppress commands in snort.conf. I don't remember which gen_id and sig_id portscan/open port is but I added these 4 lines in my snort.conf to shut it and http_inspect up in regards to certain events: suppress gen_id 122, sig_id 27: suppress gen_id 122, sig_id 19: suppress gen_id 119, sig_id 4: suppress gen_id 119, sig_id 15: I'm sure some googling will shed light on the combination you may need, although I remember it taking me forever to figure out what to do. Derick Anderson ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
