Snort mailing list archives
Re: port scans
From: Michael Boman <michael.boman () gmail com>
Date: Mon, 27 Dec 2004 23:23:48 +0800
On Mon, 27 Dec 2004 06:38:33 -0800 (PST), Sidharth Deshpande <sade_in () yahoo com> wrote:
Hello team, I am running snort on a test network. I was interested to know if snort can detect port scans that are extremely slow. Port scans that span over a few days for example. Is there a way for snort to identify this kind of scan? I hope you could help me out with this information. Thanks Sidharth Deshpande
For extremly slow portscans an IDS like SHADOW is more suited. However, you can do something like Frank Knobbe described at http://msgs.securepoint.com/cgi-bin/get/snort-0404/325/1.html, ie: alerting on non-existing hosts/ports. Best regards Michael Boman ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- port scans Sidharth Deshpande (Dec 27)
- Re: port scans Michael Boman (Dec 27)
- Re: port scans Jose Maria Lopez (Dec 28)