Snort mailing list archives
RE: Portscanning from my network
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Mon, 8 Apr 2002 13:04:58 -0400
Actually I would do just the opposite. I would experiment bumping UP the numbers 4 and 3. How about flagging a communication as a portscan when 5 or more ports are scanned within 20 seconds? From what I have read, this may be more realistic and could cut out some of the false alerts. I don't see how regular browsing would show up as a portscan, but then again I haven't experimented with this feature that much. After experimenting with the portscan preprocessor settings, you could also block out any hosts you know are generating false alerts using preprocessor portscan-ignorehosts. Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Steve Ochani [mailto:jpegny () optonline net] Sent: Friday, April 05, 2002 9:30 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Portscanning from my network Hello, I'm running snort 1.8.3 (sun os 5.8 on ultra 10). I need to detect portscans *from* my network to the outside, while also be able to detect portscans from outside directed to my network. I edited the line in snort.conf from preprocessor portscan: $HOME_NET 4 3 portscan.log to preprocessor portscan: any 4 3 portscan.log and I was able to detect outgoing portscans (with nmap for example), but the problem is even if someone browses the web it gets picked up as a portscan. I tried changing from 4 ports in 3 secs to 4 ports to 1 and 2 but still same problem and I don't want to make that too loo since scans from outside might not be picked up. Any suggestions? Thanks _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscanning from my network Steve Ochani (Apr 05)
- what would be the effect? Onie Camara (Apr 05)
- <Possible follow-ups>
- RE: Portscanning from my network Sheahan, Paul (PCLN-NW) (Apr 08)
- RE: Portscanning from my network Ryan Hill (Apr 08)
- Portscanning from my network Steve Ochani (Apr 14)