Snort mailing list archives
Re: [Snort-devel] About distributed portscans
From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 18 Oct 2001 14:33:22 -0700
At 3:54 PM +0530 10/16/01, Mamata Desai wrote:
Hello all, I am a graduate student and as part of my final project, was thinking of implementing a distributed portscan detector. I believe snort portscan detector detects one->one and one->many portscans, and there is work going on to build the many->one and the many->many modules. I would like to work on something like that. Could anybody provide me with some guidance/suggestions as to how I should proceed ? I wud like to know what are the 'to do's in this area, so that I can focus my work efforts and help contribute in some way.
Mamata,You might want read the paper "Practical Automated Detection of Stealthy Portscans", linked to here:
http://www.silicondefense.com/research/pubs.htmThis discusses Spice, developed at Silicon Defense. Spice can detect many->many and rather slow scans.
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* hoagland () SiliconDefense com *| |* http://www.silicondefense.com/ *| |* Silicon Defense - Technical Support for Snort *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- About distributed portscans Mamata Desai (Oct 16)
- Re: [Snort-devel] About distributed portscans James Hoagland (Oct 18)