Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: portscan and portscan2

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 24 Mar 2003 20:22:44 -0500
Portscan2 is designed to be a little bit "smarter" than portscan by tracking connection states.
Portscan is just a simple "count the syn packets and see if they hit several different ports or servers in a short time" type tool. This easily detects people doing high-speed portscans of a single server, or sweeping a large number of servers looking for a service.
Unfortunately Portscan makes no distinction between the number of ports hit vs the number of machines hit, and can't detect "stealth" type port scans based on state violations because it only examines syn packets (null, syn-ack, fin, etc).
Portscan2 (theoretically) tracks the state of conversations between hosts looking for signs of scans. This way it can (theoretically) tell a syn-ack scan from a legitimate response to a connection. It also supports separate thresholds for ports and machines hit in a given time.
That said, I've had such horrible experiences with portscan2 that I'm surprised that the snort-devels haven't scrapped it completely and removed it from the code, although Erek seems to have good results from it..
My own experience of high-false-positives of "syn-ack" scans seems to tell me that the state-inspection code either doesn't work, or fails to work properly on low-end hardware. I do know that on my hardware portscan2 causes enough overhead to introduce significant packet loss rates, so that is quite likely the problem. Even so it's quite surprising to me that it thinks that _every_ time a client in my network connects to a web page with a large number of embedded images the portscan2 preprocessor claims that the outside webserver is syn-ack scanning the client in my network.
I'll also point out that both of these mechanisms are easily bypassed by scanning a network slowly, something supported by nmap, so you're only going to catch rank amateurs and automated probes (ie: worms) with this kind of detector. 






At 04:15 PM 3/24/2003 -0800, Shadi Rostami wrote:

Hello all,
What is a difference between portscan, and portscan2?

Thanks
--Shadi




-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: