Re: Detecting slow portscans with snort

[Matt Kettler <mkettler () evi-inc com>]

At 12:33 PM 1/23/2005, Bjarte Malmedal wrote:
> How should conversation/portscan2 be configured to catch slow portscans?

They shouldn't.

Ideally one would use Spade, but that snort plugin is just regaining it's 
footings. It's the only scan detector that I've used that has any decent 
success against ultra-slow scans (ie: less than one probe per day). 
Unfortunately the spade plugin is in a bit of a state of disrepair and has 
only recently had anyone interested in working on maintaining it...


sfportscan is a pretty handy tool too, but it is somewhat focused on nmap 
based scans. While nmap does cover a lot of manual scanning activity, it's 
certainly not comprehensive. However, since nmap is one of the few 
off-the-shelf tools with built-in slow scan support, it's an even larger 
majority of slow scans.

sfportscan is probably your best bet for right now... Spade probably needs 
a bit more catch-up time to regain beta status, much less stable status.


You can keep an eye on spade's progress at:
http://www.computersecurityonline.com/spade/
and:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?cvsroot=SPADE



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users