Snort mailing list archives
Portscan2 to detect RPC and other similar worms?
From: "William Tan" <bill () wwtan com>
Date: Mon, 25 Aug 2003 15:07:00 -0400
Many of the recent worms tend to exhibit themselves by scanning the same port (say tcp 135) on hundreds of hosts in a short period of time. Can the portscan2 preprocessor be used to detect this kind of behaviour? I have experimented briefly with the target_limit and port_limit parameters. I set target_limit=512 and port_limit=1, but it seems that this triggers a port scan alert if either condition is met. What I really want is for both conditions to be met. My goal is to use portscan2 to detect infected hosts on my home network (by ignoring $EXTERNAL_NET) with portscan2. Is there a better way to do this within Snort? Thanks. W Tan
Current thread:
- Portscan2 to detect RPC and other similar worms? William Tan (Aug 25)