I would like to decrease the number of false positives given by sfPortscan(snort preprocessor) when set to a sense_level of medium or higher. Currently, the preprocessor states the amount of connections being made to a given port or IP, which can be used by us to deduce if the alert is a false positive or not( or at least give us a clearer picture). Unfortunately, snort doesn't allow us to set the minimum amount of IP or port connections needed to trigger an alert, and this info can only be seeing if you specify where to store the full log on the preprocessor config in snort.conf.
sfPortscan's log format is as follows: -----example #------ Time: 10/22-09:46:50.253113 event_id: 16 1.1.1.1 -> 2.2.2.2 (portscan) TCP Filtered Portsweep Priority Count: 3 Connection Count: 30 IP Count: 21 Scanned IP Range: 67.202.94.93:209.222.141.182 Port/Proto Count: 7 Port/Proto Range: 80:1656 ---------------------------- I would like to use OSSEC and create a decoder \ rule so that I can have a better chance of detecting these port scans by filtering out the common false positives. My experience with OSSEC is very limited, but I'm aware that there is a "snort-full" log format decoder. I was planning on using it as an example to create the new decoder but haven't been able to find it yet. Could anyone point me out in the right direction?
