Snort mailing list archives

RE: Portscan2 and target limit

From: Steve Halligan <giermo () geeksquad com>
Date: Fri, 8 Nov 2002 13:15:16 -0600

You are missing the other part of the test.  The port_limit option.
The below portscan2 line reads: "Generate an alert if more than 30 targets
OR
more than 30 ports get hit in 5 seconds.

The scan log you included is a scan that hit 31 ports, thus generating an
alert.

-steve

preprocessor portscan2: scanners_max 3200, targets_max 5000, 
target_limit 30, port_limit 30, timeout 5

It is my understanding that with a target_limit setting of 30, 
a portscan would have to hit 30 different targets before an 
alert would be triggered.  Here's the relevent section from the FM:

"target_limit 
      number of hosts a scanner must talk to before a scan is 
triggered "
If this is indeed the case, why am I still seeing dozens of 
the following types of alerts:
(spp_portscan2) Portscan detected from 64.4.36.24: 1 targets 
31 ports in 4 seconds 
If I read that correctly, it says that the scanner at 
64.4.36.24 hit 31 ports on 1 target in 4 seconds.  According 
to the target_limit setting of 30, I should never see these 
alerts.  What's up??





-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan2 and target limit Alan Kloster (Nov 08)
- <Possible follow-ups>
- RE: Portscan2 and target limit Steve Halligan (Nov 08)