Snort mailing list archives
portscan detection in snort 2.8.0
From: Cache Hit <cachehit () webii net>
Date: Fri, 19 Oct 2007 07:31:27 -0500
Hello, I'm currently running snort 2.4.4 with the portscan and portscan2 preprocessors that I have hooked into a script that generates iptables rules. It works very well for what it is. I recently have been playing with snort 2.8, trying to get at least the same level of detection, with at least as few or fewer false positives. I notice that flow-portscan seems to work well at detecting some things portscan and portscan2 did not - like ICMP probes across my entire /22. It also picks up nmap scans and things like that. However, I've also noticed that it often seems to confuse source and destination, or at least it seems to be confusing them. What I mean to say is, if I have a process running on a machine in my src-ignore-net that opens a bunch of connections and thus has a bunch of high ports for its receiving end flow-portscan will alert on the destination host that is connecting to those ephemeral ports on my originating machine, even though the IP address of the originating host is in my src-ignore-net. Does anyone have any recommendations? I figured flow/flow-portscan would determine source and destination based on who had the SYN flag set. Because I'm not even talking about weird protocols like ftp that open their own receiving ports on the initiating host, I'm just talking about busy network programs, like a recursive wget, or something similar. I haven't played much with sfportscan. I had bad experiences attempting to use it when I upgraded from 1.9 to 2.4.4. thanks, -- cachehit () webii net “The sky above the port was the color of television, tuned to a dead station.” ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan detection in snort 2.8.0 Cache Hit (Oct 19)