Re: SYN flood detection

[Erek Adams <erek () theadamsfamily net>]

On Fri, 10 May 2002, Pawel Rogocz wrote:

> Thanks for bringing this up Erek.

Just thinking outloud....  :)

> Now, I am not sure what the portscan processor really tries to do, if
> it only detects scans that are going to different ports.
> It will not detect scans going to the same port wheather they go to the
> same box or not.

Well, I can't agree with this statement.  I've got listings in my portscan.log
that clearly show this behavior.

[...snip...]

May  8 11:32:27 206.47.65.111:21 -> 10.10.10.77:21 SYN ******S*
May  8 11:32:27 206.47.65.111:21 -> 10.10.10.83:21 SYN ******S*
May  8 11:41:49 202.188.200.44:21 -> 10.10.10.66:21 SYN ******S*
May  8 11:41:49 202.188.200.44:21 -> 10.10.10.68:21 SYN ******S*
May  8 11:41:49 202.188.200.44:21 -> 10.10.10.69:21 SYN ******S*

[...snip...]

That's from two different scans, both across the same subnets.  That scan only
went to port 21 on each and every IP across my $HOME_NET.

> The change to spp_portscan.c is trivial, but as Matt pointed out,
> you will have to think what your thresholds should be....

heh...  Tuning, Retuning, and Tuning again.  And who said running an IDS isn't
like working on a car? ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users