Snort mailing list archives
Re: sfPortscan - Unfiltered PortScan Detected, Missing Most Open Port Alerts
From: Todd Wease <twease () sourcefire com>
Date: Sat, 31 Jan 2009 16:21:52 -0500
Hi staff The sfportscan preprocessor currently only keeps track of 7 open ports. I'm guessing the hard coded limit boiled down to what was believed to be a reasonable max for the services a machine might be offering or maybe it was due to memory considerations (although I don't think tracking something like 50 ports would be that hard on memory - will tack on an extra 5MB per 64K sessions tracked by sfportscan. Note the default sfportscan memcap of 10MB limits the number of sessions to around 13K). I'll see if we can't up the limit or make the limit configurable. Thanks, Todd staff wrote:
Hello all, I am working on the sfPortScan preprocessor and I came across a few things I can not seem to resolve, hopefully you guys can help. I have done all the reading I can find on the issue, I have a book on snort however it is not with me atm.. The first thing I noticed is that the PortScan detection is (by far) most accurate when there in no firewall in the path (TCP Portscan). That said, when I scan a system that has 16 open ports, I see the initial TCP Portscan alert (shown below). ------- Time: 01/31-13:44:27.280811 event_id: 174 a.b.c.d -> a.b.c.t (portscan) TCP Portscan Priority Count: 10 Connection Count: 18 IP Count: 1 Scanner IP Range: a.b.c.d:a.b.c.d Port/Proto Count: 18 Port/Proto Range: 47:457 -------- While the Port Range is pretty accurate (really is 1-500), I only get 7 "Open Port" alerts. Strange thing is the system a.b.c.d that did the scanning got 16 SYN/ACKs back... So where are my 8 other Open Port alerts? Regarding the config, it is just straight snort (no db) below the preprocessor line.. The system has plenty of hardware and the target is in a VM, snort is running on the Host, the source is a different box. --- preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000 } sense_level { medium } logfile { sfPortscan.log } --- ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sfPortscan - Unfiltered PortScan Detected, Missing Most Open Port Alerts staff (Jan 31)
- Re: sfPortscan - Unfiltered PortScan Detected, Missing Most Open Port Alerts Todd Wease (Jan 31)