Snort mailing list archives
Re: paranoid portscan preprocessor setup
From: Jim Burwell <jimb () broadvision com>
Date: Sat, 27 Jul 2002 13:11:16 -0700
Sounds to me like you want to catch any packet to ports that arn't allowed by your security policy, since it's obvious that you can't determin whether a single connection to a 'allowed' dip/dport can't be classified as a scan or legit connection easily (although a connection that immediatly hangs up, or doesn't follow up w/ the required handshake, etc, could be classified as a scan or probe. Not sure if anything in Snort can look for this sort of thing.). The portscan processor only reports a scan when a number of connections exceed a threashold. One thing you may want to look into is Spade. It looks for 'unusual' packets to uncommon destinations and reports them. It may do more of what you're looking for.
- Jim James Hoagland wrote:
At 6:28 PM -0400 7/26/02, Jason Falciola wrote:2. I want to see an event even if only 1 port is scanned by an inbound TCP or UDP packet. This doesn't seem to be working. Do I need to write my ownrule for this, or is it a configuration issue?I'm not clear on what you want here. A 1-packet scan is difficult to detect. If you try to do that with the portscan preprecessor (and it succeeds) I'll be reporting essentailly all of your traffic as a scan in which case you had just as well run tcpdump. Its domain is currently only TCP SYNs, but look into Spade (another Snort preprocessor) if what you want to detect is unusual packets.Good luck, Jim
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- paranoid portscan preprocessor setup Jason Falciola (Jul 26)
- Snort on Enterprise and multi-site Ronneil Camara (Jul 26)
- Re: paranoid portscan preprocessor setup James Hoagland (Jul 27)
- Re: paranoid portscan preprocessor setup Frank Knobbe (Jul 27)
- Re: paranoid portscan preprocessor setup Jim Burwell (Jul 27)
- Re: paranoid portscan preprocessor setup John Sage (Jul 27)