Snort mailing list archives
Re: portscan2 effectiveness.
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 20:22:25 -0400
At 04:16 PM 4/29/2003 -0700, Skip Carter wrote:
> >I've only heard of one person who gets decent results with it (I think
> >that's Erek) and that person admits their network is "not typical".
>
> Hmmm. Maybe there's two of us now .... ;-)
It would seem that those of use using it have not had much reason to
speak up. I haven't had too much problem with it either.
Interesting. Good to hear that some people are getting good results from it. I checked my mailbox archive, I've asked several times, and Erek's the only person that ever indicated it worked.
Here's some of my pointed criticisms of the portscan2 preprocessor on the list over the past few months.
Thu, 20 Mar 2003 17:55:32 -0500 Re: [Snort-users] portscan2-ignoreports...anyone get it to work??? "I don't know, but if you ever hear of anyone that's ever been able to do anything useful with spp_portscan2, let me know.."
Mon, 24 Mar 2003 20:22:44 -0500 Re: [Snort-users] portscan and portscan2"That said, I've had such horrible experiences with portscan2 that I'm surprised that the snort-devels haven't scrapped it completely and removed it from the code, although Erek seems to have good results from it.."
Wed, 23 Apr 2003 17:57:02 -0400 Re: [Snort-users] Too little traffic being seen! "If it is, disable spp_portscan2 and spp_conversation and try that. They chew up a lot of memory and add a lot of overhead for something that doesn't work well."
Of course, my experiences still amount to it being less useful at detecting network attacks than Microsoft Bob and more prone to false positive than using the load-meter on my router to detect attacks.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: porno rules -- portscan2 &c Neil Dickey (Apr 29)
- Re: porno rules -- portscan2 &c Skip Carter (Apr 29)
- Re: portscan2 effectiveness. Matt Kettler (Apr 29)
- Re: porno rules -- portscan2 &c Skip Carter (Apr 29)