Since these prot scan alerts are from the Snort sfportscan preprocessor, your best option is tune out false positives from your IDS. Tuning at the log analysis layer works, of course, but general rule is to always move your tuning as far upstream as possible. In this case, modify the "ignore_scanners" option in your snort.conf and tune out known source IP's that are legitimately scanning your network.
Tom, that sure makes sense - why have snort report it and then OSSEC ignore it if I don't want to see it in the first place? Thanks much... -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
