Snort mailing list archives
Re: paranoid portscan preprocessor setup
From: James Hoagland <hoagland () SiliconDefense com>
Date: Sat, 27 Jul 2002 10:23:42 -0700
At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
2. I want to see an event even if only 1 port is scanned by an inbound TCP or UDP packet. This doesn't seem to be working. Do I need to write my own rule for this, or is it a configuration issue?
I'm not clear on what you want here. A 1-packet scan is difficult to detect. If you try to do that with the portscan preprecessor (and it succeeds) I'll be reporting essentailly all of your traffic as a scan in which case you had just as well run tcpdump. Its domain is currently only TCP SYNs, but look into Spade (another Snort preprocessor) if what you want to detect is unusual packets.
Good luck, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- paranoid portscan preprocessor setup Jason Falciola (Jul 26)
- Snort on Enterprise and multi-site Ronneil Camara (Jul 26)
- Re: paranoid portscan preprocessor setup James Hoagland (Jul 27)
- Re: paranoid portscan preprocessor setup Frank Knobbe (Jul 27)
- Re: paranoid portscan preprocessor setup Jim Burwell (Jul 27)
- Re: paranoid portscan preprocessor setup John Sage (Jul 27)