Snort mailing list archives
Re: [spp_portscan]
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 20 Jun 2002 12:09:42 -0400
Well, first let's explain a bit about what the portscan preprocessor does. SPP portscan is a relatively simple syn packet counter. From the default snort conf: preprocessor portscan: $HOME_NET 4 3 portscan.logThis means that if there are syns to 4 different port/ip combinations to machines within HOME_NET within 3 seconds from a given host it is declared to be a portscan.
This could easily false if: 1) HOME_NET is set to any (ouch!) and the user starts browsing the web.2) the particular windows machine does any kind of "batch connects" to other machines with IP addresses covered by HOME_NET. Examples might include things like a pop client fetching mail from 4 different internal mailservers at the same time. Some kind of database app that contacts 4 different SQL servers, etc etc etc.
You've been very non-specific about your configuration and the nature of the alerts, but taking a wild guess I'd say you most likely have case 1, in which case you should create a separate variable for the portscan preprocessor to use. You really don't want to be detecting portscans to "any" without bumping up the thresholds to levels that won't be useful in detecting scans back to your network.
Without some more useful level of detail (ie: what ports are in the alerts? are the destinations of the scan IPs within your network? are any of the machines involved servers? mailservers? dns servers?) wild guesses are the best anyone can give you.
At 08:09 AM 6/20/2002 -0400, Gregory D Hough wrote:
Greetings group, I have snort listening on my gateway nic and was curious about all the spp_portscan alerts logged from a win box inside the network. Mulling over the faq's I see how to ignore this host, but would like to know WHY first. Can anyone offer a simple explanation as to WHY there are so many portscan alerts from this win box? Thanks, farmer6re9
-------------------------------------------------------
Bringing you mounds of caffeinated joy
>>> http://thinkgeek.com/sf <<<
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [spp_portscan] Gregory D Hough (Jun 20)
- Re: [spp_portscan] Matt Kettler (Jun 20)
- Snort and SysLogging, warning Don (Jun 20)
- Re: Snort and SysLogging, warning Imran William Smith (Jun 20)
- Snort and SysLogging, warning Don (Jun 20)
- Re: [spp_portscan] Matt Kettler (Jun 20)