From df4a0aeaf688b499ec909638fc9064c2698208ed Mon Sep 17 00:00:00 2001
From: Scott Dale <sdale@pfsense.org>
Date: Wed, 21 Feb 2007 21:20:46 +0000
Subject: Removed the flow-portscan preprocessor and inserted the sfportscan
 preprocessor. Flow-portscan has been deprecated from Snort.

---
 packages/snort/snort.inc | 33 ++++++++-------------------------
 1 file changed, 8 insertions(+), 25 deletions(-)

(limited to 'packages/snort/snort.inc')

diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc
index 04ff8809..1023d90f 100644
--- a/packages/snort/snort.inc
+++ b/packages/snort/snort.inc
@@ -365,31 +365,14 @@ preprocessor rpc_decode: 111 32771
 preprocessor bo
 preprocessor telnet_decode
 
-#Flow Portscan
-preprocessor flow-portscan: \
-        talker-sliding-scale-factor 0.50 \
-        talker-fixed-threshold 30 \
-        talker-sliding-threshold 30 \
-        talker-sliding-window 20 \
-        talker-fixed-window 30 \
-        scoreboard-rows-talker 30000 \
-        server-watchnet \$HOME_NET \
-        server-ignore-limit 200 \
-        server-rows 65535 \
-        server-learning-time 14400 \
-        server-scanner-limit 4 \
-        scanner-sliding-window 20 \
-        scanner-sliding-scale-factor 0.50 \
-        scanner-fixed-threshold 15 \
-        scanner-sliding-threshold 40 \
-        scanner-fixed-window 15 \
-        scoreboard-rows-scanner 30000 \
-        alert-mode once \
-        output-mode msg \
-		portscan-ignorehosts: \$HOME_NET \
-        tcp-penalties on
-
-
+#sf Portscan
+preprocessor sfportscan: proto { all } \
+						scan_type { all } \
+						sense_level { high } \
+						watch_ip { \$HOME_NET } \
+						ignore_scanners { \$HOME_NET } \
+						ignore_scanned { \$HOME_NET }
+						
 #Required files
 include classification.config
 include reference.config
-- 
cgit v1.2.3