detecting outgoing portscans

[Andrew Daviel <andrew () andrew triumf ca>]

In the wake of NIMDA, when we had a supposedly patched machine infected,
I thought I'd try to enable the portscan preprocessor (Snort 1.7)
on everything. I initially tried to have two portscan entries, with
different logfiles and different thresholds, but that doesn't work.

If I have a threshold of 30 or so, as for detecting real inbound scans, I
get a lot of bogus outbound scans from people websurfing. I *think* that
SNort registers a SYN scan if a user aborts a page load in a browser, as
for instance clicking a link before all the images have loaded. I've seen
190 SYN alerts in a couple of hours from someone using a search engine.

Is there any way to treat this as "normal" , perhaps if an unacked SYN
follows one or more acked packets ? Otherwise I guess I set a threshold in
a postprocessor higher, like 500. I'd like to catch outbound scanning or
worm activity for which I don't have a pattern, either because I'm lazy or
where one hasn't been written yet.

I'd found I was getting way too many false positives from the regular
Snort pattern matching to bother investigating. Again, I suppose I can set
a postprocessor to trigger on 500 outbound alerts or something.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users