sfportscan logging

[John Newman <jnn () webii net>]

Hello,

Despite the fact that snort basically kicks ass I'm having some problems.

I've got sfportscan enabled in 2.4.4. It works well, but generates lots of
false positives on our (busy) network. The widely touted README.sfportscan
has a guide to tuning, including using specific pieces of output from the
log file e.g. connection and priority counts, ip count, etc., to determine
false positives.

The problem is, AFAICT, the connection count and most of the other data
put in that logfile (the one you specifiy in the sfportscan preprocessor
line in snort.conf) is mostly inaccurate, at least on my box. Connection
and priority counts never add up to the number of ports being scanned in
tests I run. Sometimes a portscan I generate from a single host is detected
as a distributed portscan and the log file actually shows me the other IPs
that are supposed to have participated.

This is on a basically stock Fedora Core 3 box, with snort built from
scratch. Any ideas? Or should I just go back to using the originsl portscan
modules? (We use the output from this stuff to generate iptables rules to
block people that portscan us, amongst other things).

thanks,

-- 
John Newman
Systems Administrator, WebXess Inc.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users