Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Portscan2, where port !=X

From: "Jade E. Deane" <jade.deane () riven net>
Date: 31 Aug 2003 12:16:27 -0500
Matt,
A very good point indeed.  In fact, the sensors I'm playing around with
here at home are both dual Intel Pro 200s.

Can you, or someone else on the list, provide any suggestions for
running snort on minimal hardware?

I'm also curious, how can you (while snort is acting as a background
alert daemon) get a sense of the packet drop rate?

Regards,
Jade

On Sun, 2003-08-31 at 10:26, Matt Kettler wrote:

At 09:55 PM 8/30/2003 -0500, Jade E. Deane wrote:


Is it possible to ignore a scan using portscan2, where the source port
is X?

Example:
07/06/03-17:55:19.708517  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 49399 tgts: 1 ports: 60 flags: ***A**S* event_id: 108
07/06/03-17:55:20.136362  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 39705 tgts: 1 ports: 61 flags: ***A**S* event_id: 108
07/06/03-17:55:20.268826  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 49401 tgts: 1 ports: 62 flags: ***A**S* event_id: 108


Of note, are you running snort on low-end hardware?

This is the kind of false positive "syn ack" scan i was seeing when I ran 
snort on a p-166 with portscan2 enabled. It was dropping so many packets 
that it missed the initial syn, so it declared the syn-ack a scan.

Once I disabled portscan2 and conversation the packet drop rate fell back 
to a normal level. I did loose portscan2's functionality, but at least 
snort was no longer dropping 5-10% of the packets coming in so that the 
normal rules would at least work.

Check your packet drop rates. If they are high, disable portscan2 and 
conversation or upgrade your hardware. 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: