Snort mailing list archives
Re: Flow-portscan oddity
From: Chris Green <cmg () uab edu>
Date: Wed, 14 Apr 2004 16:52:32 -0400
"Douglas McCrea" <dmccrea () rutgers edu> writes:
That's what I mean... Flow-Portscan works in the sense that it can be configured to show that a scan or attack is happening from one host to another, but it's totally useless without actually know what ports are being scanned... As an analyst, the information below is nearly useless to me.
At most it will only keep the last machines scanned when outputting via the pktkludge output. It's supposed to be a real time component to give you something to alert on and then go look at NetFlow-esque data from that around that alert timerange to find out what was actually being scanned. I'll be the first to admit configuring it's a PITA but it's good at being consistent on memory usage. It also suffers from it was shoved into the same old output systems that everything else uses.. I think it also has way too many end user knobs exposed by default so the command line configuration really sucks. Cheers, -- Chris Green <cmg () dok org> "I have no ability to read string handling code in a gaim window" -- me ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Flow-portscan oddity, (continued)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 13)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Douglas McCrea (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 13)
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 14)
- RE: Flow-portscan oddity Dusty Hall (Apr 14)
- RE: Flow-portscan oddity Douglas McCrea (Apr 14)
- Re: Flow-portscan oddity Chris Green (Apr 14)
- RE: Flow-portscan oddity Jasmine CHUA (Apr 15)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)