Snort mailing list archives

Re: [Snort-devel] About distributed portscans

From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 18 Oct 2001 14:33:22 -0700

At 3:54 PM +0530 10/16/01, Mamata Desai wrote:

Hello all,

I am a graduate student and as part of my final project, was thinking of
implementing a distributed portscan detector. I believe snort portscan
detector detects one->one and one->many portscans, and there is work
going on to build the many->one and the many->many modules.

I would like to work on something like that. Could anybody provide me
with some guidance/suggestions as to how I should proceed ? I wud like
to know what are the 'to do's in this area, so that I can focus my work
efforts and help contribute in some way.


Mamata,

You might want read the paper "Practical Automated Detection ofStealthy Portscans", linked to here:


  http://www.silicondefense.com/research/pubs.htm

This discusses Spice, developed at Silicon Defense. Spice can detectmany->many and rather slow scans.


Best regards,

  Jim

--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

About distributed portscans Mamata Desai (Oct 16)
- Re: [Snort-devel] About distributed portscans James Hoagland (Oct 18)