RE: Portscanning from my network

[Ryan Hill <rhill () xypoint com>]

Paul is on the right track here... comments inline below:

Ryan Hill, MCSE 
Manager, Technical Support (aka IT Ninja)
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001

> -----Original Message-----
> From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] 
> Sent: Monday, April 08, 2002 10:05 AM
> To: 'Steve Ochani'; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Portscanning from my network
>
>
>
> Actually I would do just the opposite. I would experiment 
> bumping UP the numbers 4 and 3. How about flagging a 
> communication as a portscan when 5 or more ports are scanned 
> within 20 seconds? From what I have read, this may be more 
> realistic and could cut out some of the false alerts. I don't 
> see how regular browsing would show up as a portscan, but 
> then again I haven't experimented with this feature that much. 

For any moderately busy internal network, you will be forced to tweak your
portscan settings.  Even web browsing can cause this (multiple GET's to the
same source) and portscan doesn't differentiate the type of traffic or
content, it just detects multiple connect attempts over a given period.

> After experimenting with the portscan preprocessor settings, 
> you could also block out any hosts you know are generating 
> false alerts using preprocessor portscan-ignorehosts.

preprocessor portscan-ignorehosts is your FRIEND!

Regards,
Ryan

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users