Snort mailing list archives
Re: DNS, portscan, & laptops
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Mon, 18 Jun 2001 16:45:04 -0700 (PDT)
On Mon, 18 Jun 2001, Brian Caswell wrote:
Never never never never do anything but wave big red flags at yourself automagicly. Computers are smart, but computers don't know politics. Heck, people don't know politics. Why should computers know any better?
Well, yes, but I believe that most (all?) of the wide port scans I see are real and either represenent a compromised machine or a worm, and as such should be reported quickly and hopefully fixed. I was getting fed up doing it by hand. This isn't "someone poked port 80 on my PC", but "someone did a SYN scan for DNS to 13,000 consecutive addresses". This particular case, I admit, wasn't that but "someone probed 900 UDP ports on our machine", and if I have more false alerts from portscanning on single addresses I may drop single address reports. Ideally of course I would like 0% false alerts and 100% success in notification. Currently I'm probably running about 1% false alerts and 50% success in notification. The wider question is, I suppose, what should we report, to whom, and how quickly. Aside from after-the-fact forensics, if I don't report anything to anyone I might as well not bother collecting IDS data. I don't myself particularly care if some kid out there is using his own PC to scan our address space, but I suspect that if he's broken into someone elses computer and is using that, that they would indeed care, and I think that automatic reporting is better than nothing for trying to tell them. Andrew Daviel TRIUMF _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Brian Caswell (Jun 18)
- Re: DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Vitaly Osipov (Jun 19)