Snort mailing list archives
Re: Portscan2, where port !=X
From: "Jade E. Deane" <jade.deane () riven net>
Date: 31 Aug 2003 12:16:27 -0500
Matt, A very good point indeed. In fact, the sensors I'm playing around with here at home are both dual Intel Pro 200s. Can you, or someone else on the list, provide any suggestions for running snort on minimal hardware? I'm also curious, how can you (while snort is acting as a background alert daemon) get a sense of the packet drop rate? Regards, Jade On Sun, 2003-08-31 at 10:26, Matt Kettler wrote:
At 09:55 PM 8/30/2003 -0500, Jade E. Deane wrote:Is it possible to ignore a scan using portscan2, where the source port is X? Example: 07/06/03-17:55:19.708517 TCP src: 168.103.115.138 dst: 10.0.47.3 sport: 443 dport: 49399 tgts: 1 ports: 60 flags: ***A**S* event_id: 108 07/06/03-17:55:20.136362 TCP src: 168.103.115.138 dst: 10.0.47.3 sport: 443 dport: 39705 tgts: 1 ports: 61 flags: ***A**S* event_id: 108 07/06/03-17:55:20.268826 TCP src: 168.103.115.138 dst: 10.0.47.3 sport: 443 dport: 49401 tgts: 1 ports: 62 flags: ***A**S* event_id: 108Of note, are you running snort on low-end hardware? This is the kind of false positive "syn ack" scan i was seeing when I ran snort on a p-166 with portscan2 enabled. It was dropping so many packets that it missed the initial syn, so it declared the syn-ack a scan. Once I disabled portscan2 and conversation the packet drop rate fell back to a normal level. I did loose portscan2's functionality, but at least snort was no longer dropping 5-10% of the packets coming in so that the normal rules would at least work. Check your packet drop rates. If they are high, disable portscan2 and conversation or upgrade your hardware. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- PGP Public Key: http://www.riven.net/~moose/key.asc
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Portscan2, where port !=X Jade E. Deane (Aug 30)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)
- Re: Portscan2, where port !=X Jade E. Deane (Aug 31)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)
- Re: Portscan2, where port !=X Jade E. Deane (Aug 31)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)