Re: paranoid portscan preprocessor setup

[James Hoagland <hoagland () SiliconDefense com>]

At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
> 2.  I want to see an event even if only 1 port is scanned by an inbound TCP
> or UDP packet.  This doesn't seem to be working.  Do I need to write my own
> rule for this, or is it a configuration issue?

I'm not clear on what you want here.  A 1-packet scan is difficult to 
detect.  If you try to do that with the portscan preprecessor (and it 
succeeds) I'll be reporting essentailly all of your traffic as a scan 
in which case you had just as well run tcpdump.  Its domain is 
currently only TCP SYNs, but look into Spade (another Snort 
preprocessor) if what you want to detect is unusual packets.

Good luck,

  Jim

--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users