Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Flow-portscan oddity

From: Jasmine CHUA <Jasmine.Chua () internationalsos com>
Date: Fri, 16 Apr 2004 12:08:19 +0800
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

Flow-Portscan works but not quite well for me. On Acid I only see the very
first portscan alert after restarting snort and barnyard, and thereafter, I
don't get to see the next and the next portscan alert on Acid. Its really
weird. 

Anyone facing this problem?


- -----Original Message-----
From: Dusty Hall [mailto:halljer () auburn edu]
Sent: Wednesday, April 14, 2004 22:27
To: Todd_Pratt () hartehanks com; dmccrea () rutgers edu;
Chad.Kreimendahl () umb com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Flow-portscan oddity


I guess I'll chime in...  Flow-Portscan seem to work ok for me but I never
know what port is getting scanned.  Thoughts?

- -Dusty


*---alert-----
04/14-14:21:00.987513  [**] [121:1:1] Portscan detected from 161.57.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 16) [**] 
04/14-14:21:34.725954  [**] [121:1:1] Portscan detected from 204.38.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 14) [**] 
04/14-14:21:38.207946  [**] [121:1:1] Portscan detected from 12.173.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15) [**] 
04/14-14:21:38.347495  [**] [121:1:1] Portscan detected from 12.173.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40) [**] 

*---my-config-----
preprocessor flow-portscan: \
server-watchnet [xxx.xxx.xxx.xxx\xx] \
dst-ignore-net [xxx.xxx.xxx.xxx\xx] \
src-ignore-net [xxx.xxx.xxx.xxx\xx] \
unique-memcap 5000000 unique-rows 50000 \
tcp-penalties on \
server-rows 65535 \
server-scanner-limit 50 \
alert-mode once \
#alert-mode all \
output-mode msg \
#output-mode pktkludge \
server-learning-time 3600
*-------------------



"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> 4/13/2004 4:21:16 PM


I haven't attempted the syslog method of alerting, but I doubt that's
it, being that their alerting method is centralized.  Have you generated
alerts on your own and verified them?

I've just attempted using your config with our setup, and again it did
not see my scans (and no, they did not originate from $HOME_NET).
What's your config for the flow preproc?

________________________________

From: Todd_Pratt () hartehanks com [mailto:Todd_Pratt () hartehanks com] 
Sent: Tuesday, April 13, 2004 2:02 PM
To: Douglas McCrea
Cc: Snort Users; snort-users-admin () lists sourceforge net 
Subject: RE: [Snort-users] Flow-portscan oddity



flow-portscan works for me.  I get between 20 and 40 alerts per hour.
The only output I use is syslog so I don't know if that makes a
difference. 

Here's the line I use: 

        preprocessor flow-portscan: alert-mode once src-ignore-net
$HOME_NET 

I'm running 2.1.2 build 25 

Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt () hartehanks com 



"Douglas McCrea" <dmccrea () rutgers edu> 
Sent by: snort-users-admin () lists sourceforge net 

04/13/2004 11:56 AM 

        
..........



- -------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQH9cMv4wcdIw6CVjEQJ4bgCeM4F/eFULF6o+hcOsMhvFAm96650Ani41
xMVq4u9V7/VjTkva5KsYTc3o
=r5Ei
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: