Snort mailing list archives

Previous By Date Next
Previous By Thread Next

portscan detection in snort 2.8.0

From: Cache Hit <cachehit () webii net>
Date: Fri, 19 Oct 2007 07:31:27 -0500
Hello,

I'm currently running snort 2.4.4 with the portscan and portscan2  
preprocessors that I have hooked into a script that generates  
iptables rules.   It works very well for what it is.

I recently have been playing with snort 2.8, trying to get at least  
the same level of detection, with at least as few or fewer false  
positives.   I notice that flow-portscan seems to work well at  
detecting some things portscan and portscan2 did not - like ICMP  
probes across my entire /22.   It also picks up nmap scans and things  
like that.   However, I've also noticed that it often seems to  
confuse source and destination, or at least it seems to be confusing  
them.   What I mean to say is, if I have a process running on a  
machine in my src-ignore-net that opens a bunch of connections and  
thus has a bunch of high ports for its receiving end flow-portscan  
will alert on the destination host that is connecting to those  
ephemeral ports on my originating machine, even though the IP address  
of the originating host is in my src-ignore-net.

Does anyone have any recommendations?   I figured flow/flow-portscan  
would determine source and destination based on who had the SYN flag  
set.    Because I'm not even talking about weird protocols like ftp  
that open their own receiving ports on the initiating host, I'm just  
talking about busy network programs, like a recursive wget, or  
something similar.

I haven't played much with sfportscan.   I had bad experiences  
attempting to use it when I upgraded from 1.9 to 2.4.4.


thanks,
--
cachehit () webii net
“The sky above the port was the color of television, tuned to a dead  
station.”



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: