Snort mailing list archives
Portscan detection questions.
From: "Vinay A. Mahadik" <VAMahadik () lbl gov>
Date: Wed, 03 Jul 2002 15:50:29 -0700
Hi there, I didn't find any specific answers to the following in the archives, and hence posting these here.. 1. How come there are portscan types like 'ACK scan' (wherein only the ACK flag is set in the TCP packet) ignored by Snort? (spp_portscan and spp_stream4). These do help in n/w mapping don't they? 2. Stream4 and portscan independently check TCP flags to detect scans.. and are ON in the default configuration. Isn't this unnecessary duplication. Any suggestions on which is 'better' (breadth, speed wise)? 3. (Haven't checked this yet) Some of the scan.rules' rules are already covered in the above preprocessors.. e.g. SCAN FIN.. are these intentional redundancies? I could be wrong.. but pls do let me know.. Thanks, Vinay. -- Vinay A. Mahadik Summer Intern Computer Protection Program Lawrence Berkeley National Laboratory (510) 495 2618 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan detection questions. Vinay A. Mahadik (Jul 03)