Snort mailing list archives
RE: Portscan2 and target limit
From: Steve Halligan <giermo () geeksquad com>
Date: Fri, 8 Nov 2002 13:15:16 -0600
You are missing the other part of the test. The port_limit option. The below portscan2 line reads: "Generate an alert if more than 30 targets OR more than 30 ports get hit in 5 seconds. The scan log you included is a scan that hit 31 ports, thus generating an alert. -steve
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 30, port_limit 30, timeout 5 It is my understanding that with a target_limit setting of 30, a portscan would have to hit 30 different targets before an alert would be triggered. Here's the relevent section from the FM: "target_limit number of hosts a scanner must talk to before a scan is triggered " If this is indeed the case, why am I still seeing dozens of the following types of alerts: (spp_portscan2) Portscan detected from 64.4.36.24: 1 targets 31 ports in 4 seconds If I read that correctly, it says that the scanner at 64.4.36.24 hit 31 ports on 1 target in 4 seconds. According to the target_limit setting of 30, I should never see these alerts. What's up??
------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2 and target limit Alan Kloster (Nov 08)
- <Possible follow-ups>
- RE: Portscan2 and target limit Steve Halligan (Nov 08)