Snort mailing list archives
Re: False positives with UDP Portscan PROTO255
From: Jeremy Hewlett <jh () sourcefire com>
Date: Wed, 9 Mar 2005 13:00:52 -0500
On Sat, Mar 05, Mike Lieberman wrote:
The black hats are without a doubt aware of this, but a portscan that can't distinguish normal traffic from abnormal traffic is of no more
How do you define abnormal traffic? Traffic you've never seen before? Traffic which is crafted?
If I am getting 999 false positives to one true positive, what's the likelihood that I would catch the 'true' one?
As Jeff Kell stated, what you're experiencing is the definition of a portscan. We've gone through some lengths with TCP to weed out false positives, but UDP is more difficult. What methods have you tried in tuning the portscan preprocessor? There's a section in the README.sfportscan that details some thoughts on tuning this.
With all respect to those who write and maintain the rules, I don't find this rule helpful and will seek to exclude port 53. IMHO we need a more sophisticated tool in this regard.
This is the first release of sfPortscan, and thus has just begun its life cycle. I'm open to ideas in ways to make it better. Anyone is welcome to send me ideas, patches, start discussions, etc... ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- Re: False positives with UDP Portscan PROTO255 Jeff Kell (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Orit Vidas (Mar 08)
- Re: False positives with UDP Portscan PROTO255 Jeremy Hewlett (Mar 09)
- Re: False positives with UDP Portscan PROTO255 Rich Adamson (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- Re: False positives with UDP Portscan PROTO255 Jeff Kell (Mar 05)