Snort mailing list archives
Re: portscan vs. portscan2
From: Erek Adams <erek () snort org>
Date: Fri, 14 Feb 2003 08:24:22 -0500 (EST)
On Thu, 13 Feb 2003, Rob Burris wrote:
1. Is it necessary to have both preprocessor's running?
No, and definately not reccommended for performance reasons.
2. What are some of the differences between how they detect scans?
ps2 is the big brother of ps. The code was done in a new fashion, and some other things added in. The method of storing the packet list in memory is done differently. As for the detect method, it's fairly close. X ports on Y boxes in Z timeframe. It's a bit more complicated than that, but that's the basic idea.
3. Is one better than the other or is it just personal preference?
To me it's really up to you. ps has the older more mature code base, while ps2 is faster and cleaner. If it were possible, I'd run two instances over the same time frame on your sensor--One with ps and one with ps2. Compare the output and see which one gives you data you like/expect. Force some scans from GRC.com or wherever. See which one finds them and reports them to you. If you have access to a box that isn't on $HOME_NET then scan yourself from there.
I hope I don't sound like a lamer but as you said there doesn't appear to be any docs to read.
There really aren't any docs for some of the plugins. Most of the time the best docs are the code itself. Granted, if you don't code C, they can be a bit difficult to read. Often times there are fairly good comments and variable names so you can sorta guess what the code is doing. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan vs. portscan2 Rob Burris (Feb 13)
- Re: portscan vs. portscan2 Erek Adams (Feb 13)
- Re: portscan vs. portscan2 Rob Burris (Feb 13)
- Re: portscan vs. portscan2 Erek Adams (Feb 14)
- Re: portscan vs. portscan2 Rob Burris (Feb 13)
- Re: portscan vs. portscan2 Erek Adams (Feb 13)