Snort mailing list archives
sfportscan logging
From: John Newman <jnn () webii net>
Date: Thu, 27 Apr 2006 08:19:01 -0500
Hello, Despite the fact that snort basically kicks ass I'm having some problems. I've got sfportscan enabled in 2.4.4. It works well, but generates lots of false positives on our (busy) network. The widely touted README.sfportscan has a guide to tuning, including using specific pieces of output from the log file e.g. connection and priority counts, ip count, etc., to determine false positives. The problem is, AFAICT, the connection count and most of the other data put in that logfile (the one you specifiy in the sfportscan preprocessor line in snort.conf) is mostly inaccurate, at least on my box. Connection and priority counts never add up to the number of ports being scanned in tests I run. Sometimes a portscan I generate from a single host is detected as a distributed portscan and the log file actually shows me the other IPs that are supposed to have participated. This is on a basically stock Fedora Core 3 box, with snort built from scratch. Any ideas? Or should I just go back to using the originsl portscan modules? (We use the output from this stuff to generate iptables rules to block people that portscan us, amongst other things). thanks, -- John Newman Systems Administrator, WebXess Inc. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sfportscan logging John Newman (Apr 27)