IDS mailing list archives

Previous By Date Next
Previous By Thread Next

IDS and portscan-detection

From: klaus.dombrofsky () degussa com
Date: Thu, 28 Aug 2003 15:49:34 +0200
Hi folks,

i'm managing several IDS-systems (Snort-basis) with a central 
SQL-database.
One option in my sensors is  Portscan Detection
with several settings:

        Number Of Ports 
        Number Of Hosts 
        Detection Period (s) 

So, what would you suggest as good settings for detecting portscans ?

How many ports or how many hosts in what period of time is a value that 
make sense ?
The smaller the settings the bigger the amount of data, the bigger the 
settings the bigger is the chance
to miss "important data".

Where is the happy medium ?

May be it makes no sense to keep an eye on portscans on the IDS, because 
the most scans are typical
evident scans from "harmless" guys and so on.
 
best regards 
Klaus-Peter Dombrofsky
its.on 
Global Network Services
Security Management
T +49.(0)8621 86 3057
M +49.(0)175 2617851
E-Mail: Klaus.Dombrofsky () degussa com 
GPG-Key available
Fingerprint
C4DB D0C8 63AB E637 7879 A7FC 2A97 7196 CF34 0C1D
 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: