Removed the flow-portscan preprocessor and inserted the sfportscan preprocessor. Flow-portscan has been deprecated from Snort.

1 files changed, 8 insertions, 25 deletions

diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc
index 04ff8809..1023d90f 100644
--- a/packages/snort/snort.inc
+++ b/packages/snort/snort.inc
@@ -365,31 +365,14 @@ preprocessor rpc_decode: 111 32771
 preprocessor bo
 preprocessor telnet_decode
 
-#Flow Portscan
-preprocessor flow-portscan: \
-        talker-sliding-scale-factor 0.50 \
-        talker-fixed-threshold 30 \
-        talker-sliding-threshold 30 \
-        talker-sliding-window 20 \
-        talker-fixed-window 30 \
-        scoreboard-rows-talker 30000 \
-        server-watchnet \$HOME_NET \
-        server-ignore-limit 200 \
-        server-rows 65535 \
-        server-learning-time 14400 \
-        server-scanner-limit 4 \
-        scanner-sliding-window 20 \
-        scanner-sliding-scale-factor 0.50 \
-        scanner-fixed-threshold 15 \
-        scanner-sliding-threshold 40 \
-        scanner-fixed-window 15 \
-        scoreboard-rows-scanner 30000 \
-        alert-mode once \
-        output-mode msg \
-		portscan-ignorehosts: \$HOME_NET \
-        tcp-penalties on
-
-
+#sf Portscan
+preprocessor sfportscan: proto { all } \
+						scan_type { all } \
+						sense_level { high } \
+						watch_ip { \$HOME_NET } \
+						ignore_scanners { \$HOME_NET } \
+						ignore_scanned { \$HOME_NET }
+						
 #Required files
 include classification.config
 include reference.config