Security Incidents mailing list archives

Re: Assistance and advice request

From: Michel Kaempf <maxx () SECURITE ORG>
Date: Fri, 28 Jul 2000 22:14:50 +0200

On Thu, Jul 27, 2000, Kirklin Spencer wrote:

Situation two.  Slow Scan.
to suspect that it is a probe.  Again, what tools might I use and how should
I be using them (and who should I be telling)?


I can tell you how I handle slow scans with snort, perhaps it will give
you some ideas, perhaps we can find a better way to handle them.

I use snort to monitor a huge network, both the subnet hosts and the
internet hosts are monitored. As I use the excellent snort rules from

        http://www.snort.org/

I realized that a tool was needed to sort the snort alert files. And I
don't use the portscan preprocessor, because I find setting arbitrary
values of timing and repetition in order to detect portscans is not
reliable, it cannot detect slow scans, and it triggers a lot of false
positives.

I wrote a little program, 5n0r7, which sorts the snort alert files, and
allows one to easily find out attacks by looking at 5n0r7's output. If
you run 5n0r7 on an alert file that is beeing filled by snort for a long
time, you will see the slow scans. You can downloadf it from

        ftp://snort.via.ecp.fr/5n0r7/5n0r7.c

I will write a second version as soon as possible because I need a bunch
of new features. I hope you can find it useful.

Best regards,

--
MaXX

Current thread:

Assistance and advice request Kirklin Spencer (Jul 28)
- Re: Assistance and advice request Greg A. Woods (Jul 29)
- Re: Assistance and advice request Michel Kaempf (Jul 29)
- Re: Assistance and advice request Bill Pennington (Jul 29)
  - Re: Assistance and advice request Adam Boileau (Jul 31)