Snort mailing list archives
Re: Question about 'TCP distributed portscan' signature
From: soc soc via Snort-users <snort-users () lists snort org>
Date: Wed, 26 Jul 2017 12:15:13 -0300
apoligies, here is the log for this alert Time: 07/26-10:57:43.470318 event_id: 1 10.70.165.242 -> 10.70.128.82 (portscan) TCP Distributed Portscan Priority Count: 18 Connection Count: 15 IP Count: 1 Scanner IP Range: 10.70.165.242:10.70.165.242 Port/Proto Count: 15 Port/Proto Range: 53:64680 On Wed, Jul 26, 2017 at 12:13 PM, soc soc <queries.soc () gmail com> wrote:
Hello Everyone, First of all, I wanted to say that we are new to snort and to any IDS for that matter. We are trying to setup this on our environment, running snort+pulledpork+barnyard2+mysql+snorby. We are in the step of tuning the scan pre processor to reduce many of the false positives we are receiving and I wanted to ask a question about distributed portscans, if anyone could help, it would be very much appreciated. We are seeing multiple "distributed portscan alerts" on our snort for the same source and destination, by reading the README.sfcpreprocessor, we understand this is a "These are many->one portscans". This is the only scan we left configured on our snort.conf file, for the scanning part at least. But when looking at the alert, we see this: Priority.Count:.15.Connection.Count:.20.IP.Count:.1.Scanner.IP.Range:.10.70.165.242:10.70.165.242.Port/Proto.Count:.20.Port/Proto.Range:.22:31337. [image: Imágenes integradas 1] We did query the database where the alerts are being stored, and there was just one alert generated for this event, but all it says is it was triggered for source 10.70.165.242 to 10.70.128.82. As we understand, this should only be generated if the scan was done from multiple hosts to a single destination host, is this correct? the only ip in the alert is source 10.70.165.242. Is there a way to check why could this be generated? if there is any other info I can provide please let me know. Thanks in advance agustin
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 26)
- Re: Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 26)
- Re: Question about 'TCP distributed portscan' signature Al Lewis (allewi) via Snort-users (Jul 26)
- Re: Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 27)
- Re: Question about 'TCP distributed portscan' signature Al Lewis (allewi) via Snort-users (Jul 27)
- Re: Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 27)