Snort mailing list archives
RE: Portscanning from my network
From: Ryan Hill <rhill () xypoint com>
Date: Mon, 8 Apr 2002 11:06:35 -0700
Paul is on the right track here... comments inline below: Ryan Hill, MCSE Manager, Technical Support (aka IT Ninja) Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com v: 206.792.2276 - f: 206.792.2001
-----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Monday, April 08, 2002 10:05 AM To: 'Steve Ochani'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Portscanning from my network Actually I would do just the opposite. I would experiment bumping UP the numbers 4 and 3. How about flagging a communication as a portscan when 5 or more ports are scanned within 20 seconds? From what I have read, this may be more realistic and could cut out some of the false alerts. I don't see how regular browsing would show up as a portscan, but then again I haven't experimented with this feature that much.
For any moderately busy internal network, you will be forced to tweak your portscan settings. Even web browsing can cause this (multiple GET's to the same source) and portscan doesn't differentiate the type of traffic or content, it just detects multiple connect attempts over a given period.
After experimenting with the portscan preprocessor settings, you could also block out any hosts you know are generating false alerts using preprocessor portscan-ignorehosts.
preprocessor portscan-ignorehosts is your FRIEND! Regards, Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscanning from my network Steve Ochani (Apr 05)
- what would be the effect? Onie Camara (Apr 05)
- <Possible follow-ups>
- RE: Portscanning from my network Sheahan, Paul (PCLN-NW) (Apr 08)
- RE: Portscanning from my network Ryan Hill (Apr 08)
- Portscanning from my network Steve Ochani (Apr 14)