Snort mailing list archives
Re: How many ports is considered a portsweep/portscan?
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 18 Mar 2010 20:04:27 -0600
Have you tried this? 3. Make use of the Priority Count, Connection Count, IP Count, Port Count, IP range, and Port range to determine false positives. The portscan alert details are vital in determining the scope of a portscan and also the confidence of the portscan. In the future, we hope to automate much of this analysis in assigning a scope level and confidence level, but for now the user must manually do this. The easiest way to determine false positives is through simple ratio estimations. The following is a list of ratios to estimate and the associated values that indicate a legimite scan and not a false positive. Connection Count / IP Count: This ratio indicates an estimated average of connections per IP. For portscans, this ratio should be high, the higher the better. For portsweeps, this ratio should be low. Port Count / IP Count: This ratio indicates an estimated average of ports connected to per IP. For portscans, this ratio should be high and indicates that the scanned host's ports were connected to by fewer IPs. For portsweeps, this ratio should be low, indicating that the scanning host connected to few ports but on many hosts. Connection Count / Port Count: This ratio indicates an estimated average of connections per port. For portscans, this ratio should be low. This indicates that each connection was to a different port. For portsweeps, this ratio should be high. This indicates that there were many connections to the same port. The reason that Priority Count is not included, is because the priority count is included in the connection count and the above comparisons take that into consideration. The Priority Count play an important role in tuning because the higher the priority count the more likely it is a real portscan or portsweep (unless the host is firewalled). On Thu, Mar 18, 2010 at 9:10 AM, James Lay <jlay () slave-tothe-box net> wrote:
Subject pretty much says it all...there are certain machines that I want to be able to detect a portsweep or scan, but not when they scan say 4 or 5 ports like booting up with netbios checking out other machines on a network (I think that¹s why I¹m seeing these FP¹s). Sfportscan is set to low, but I¹m not sure what else I can set? Thanks all.
Thanks Matt, I took a good solid read of the README for sfportscan, but at the end of the day it seems that I¹m left with only a couple options of ignore_scanners, and ignore_scanned. Am I reading something wrong? These seem pretty binary to me....unless there¹s a more granular level of control that I¹m missing. I have two server that chat with each other...if I use either of these ignore lines, the my high amount of portscan alerts goes away, but then if one of those servers is compromised, I would WANT to see any unusual portscan type traffic. Does this make sense or do I sound way out of wack? Like..the functionality to say ³an attempt to open 6 ports within 10 seconds is fine to this range of 135-141, but an attempt to open 6 ports within 10 seconds of any other range and I want an alert². Or something close to that. Thanks for the assist. James
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How many ports is considered a portsweep/portscan? James Lay (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Matt Olney (Mar 18)
- Re: How many ports is considered a portsweep/portscan? James Lay (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Nerijus Krukauskas (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Russ Combs (Mar 19)
- Re: How many ports is considered a portsweep/portscan? Nerijus Krukauskas (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Joel Esler (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Ryan Jordan (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Joel Esler (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Nerijus Krukauskas (Mar 24)
- Re: How many ports is considered a portsweep/portscan? James Lay (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Matt Olney (Mar 18)