IDS mailing list archives
IDS and portscan-detection
From: klaus.dombrofsky () degussa com
Date: Thu, 28 Aug 2003 15:49:34 +0200
Hi folks, i'm managing several IDS-systems (Snort-basis) with a central SQL-database. One option in my sensors is Portscan Detection with several settings: Number Of Ports Number Of Hosts Detection Period (s) So, what would you suggest as good settings for detecting portscans ? How many ports or how many hosts in what period of time is a value that make sense ? The smaller the settings the bigger the amount of data, the bigger the settings the bigger is the chance to miss "important data". Where is the happy medium ? May be it makes no sense to keep an eye on portscans on the IDS, because the most scans are typical evident scans from "harmless" guys and so on. best regards Klaus-Peter Dombrofsky its.on Global Network Services Security Management T +49.(0)8621 86 3057 M +49.(0)175 2617851 E-Mail: Klaus.Dombrofsky () degussa com GPG-Key available Fingerprint C4DB D0C8 63AB E637 7879 A7FC 2A97 7196 CF34 0C1D --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- IDS and portscan-detection klaus . dombrofsky (Aug 28)