Re: paranoid portscan preprocessor setup

[Jim Burwell <jimb () broadvision com>]

Sounds to me like you want to catch any packet to ports that arn't 
allowed by your security policy, since it's obvious that you can't 
determin whether a single connection to a 'allowed' dip/dport can't be 
classified as a scan or legit connection easily (although a connection 
that immediatly hangs up, or doesn't follow up w/ the required 
handshake, etc, could be classified as a scan or probe.  Not sure if 
anything in Snort can look for this sort of thing.).  The portscan 
processor only reports a scan when a number of connections exceed a 
threashold.  One thing you may want to look into is Spade.  It looks for 
'unusual' packets to uncommon destinations and reports them.  It may do 
more of what you're looking for.

- Jim

James Hoagland wrote:

> At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
>
> > 2.  I want to see an event even if only 1 port is scanned by an 
> > inbound TCP
> > or UDP packet.  This doesn't seem to be working.  Do I need to write 
> > my own
> > rule for this, or is it a configuration issue?
>
>
> I'm not clear on what you want here.  A 1-packet scan is difficult to 
> detect.  If you try to do that with the portscan preprecessor (and it 
> succeeds) I'll be reporting essentailly all of your traffic as a scan 
> in which case you had just as well run tcpdump.  Its domain is 
> currently only TCP SYNs, but look into Spade (another Snort 
> preprocessor) if what you want to detect is unusual packets.
>
> Good luck,
>
>   Jim




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users