Snort mailing list archives

Re: port scans

From: Michael Boman <michael.boman () gmail com>
Date: Mon, 27 Dec 2004 23:23:48 +0800

On Mon, 27 Dec 2004 06:38:33 -0800 (PST), Sidharth Deshpande
<sade_in () yahoo com> wrote:

Hello team, 
  
I am running snort on a test network. I was interested to know if snort can
detect port scans that are extremely slow. Port scans that span over a few
days for example. 
  
Is there a way for snort to identify this kind of scan? 
  
I hope you could help me out with this information. 
  
Thanks 
  
Sidharth Deshpande


For extremly slow portscans an IDS like SHADOW is more suited.
However, you can do something like Frank Knobbe described at
http://msgs.securepoint.com/cgi-bin/get/snort-0404/325/1.html, ie:
alerting on non-existing hosts/ports.

Best regards
 Michael Boman


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

port scans Sidharth Deshpande (Dec 27)
- Re: port scans Michael Boman (Dec 27)
- Re: port scans Jose Maria Lopez (Dec 28)