Portscan detection questions.

["Vinay A. Mahadik" <VAMahadik () lbl gov>]

Hi there,

I didn't find any specific answers to the following in the archives, and
hence posting these here..

1. How come there are portscan types like 'ACK scan' (wherein only the
ACK flag is set in the TCP packet) ignored by Snort? (spp_portscan and
spp_stream4). These do help in n/w mapping don't they?

2. Stream4 and portscan independently check TCP flags to detect scans..
and are ON in the default configuration. Isn't this unnecessary
duplication. Any suggestions on which is 'better' (breadth, speed wise)?

3. (Haven't checked this yet) Some of the scan.rules' rules are already
covered in the above preprocessors.. e.g. SCAN FIN.. are these
intentional redundancies?

I could be wrong.. but pls do let me know..

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users