Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Portscan2 filtering suggestions - Snort 1.9.0 & acid

From: "Beckett, Josh" <JBeckett () enviance com>
Date: Wed, 9 Oct 2002 13:47:30 -0700
Just to clarify, I do have $HOME_NET and $IGNORE_PORTSCAN defined
properly, and the alerts are sourced on port 80 of the web server and
reply to the appropriate ephemeral ports on my home net.

Basically a scan alert triggering only on the web server's reply to my
user's outbound request, but not an alert on the original request nor
the multiple ports opening with the destination of the server's port 80.

I home that makes it more clear.

J-

-----Original Message-----
From: Beckett, Josh 
Sent: Wednesday, October 09, 2002 1:38 PM
To: 'Snort-users () lists sourceforge net'
Subject: Portscan2 filtering suggestions - Snort 1.9.0 & acid


I'm trying to tune out the false positives triggered by my users going
to a website and the ensuing http conversation opening up many ports.

I've upped the portscan2 preprocessor port_limit value from default to
20 and then to 25.  Each time I increase the value, the alerts continue
to trigger at the new, higher threshold.

I understand what is going on at the tcp level but I am concerned that
the more I increase the threshold, the greater my chances of missing a
real scan.

In the reported alerts, the target value is always 1, which makes sense,
so I haven't messed with the portscan2 target value.  The alerts are
often under 5-10 seconds so adjusting the timeout would seem to have
little positive effect without an equal negative effect of increasing
the potential for missing true positives.

Any suggestions, thoughts, criticisms on what other adjustments I could
make (other than the obvious of keep crankin' up the port_limit and
lower the timeout)?

Josh Beckett
CISSP
Enviance.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: