Snort mailing list archives

how snort detect port scan

From: carl marx <carlmarxf11 () yahoo com sg>
Date: Fri, 20 Jun 2003 11:56:38 +0800 (CST)

hi experts,

I was wondering how snort detect port scan. Eg. Syn
scan, how does it know this is a port scan from the
valid active Syn connect? Is it by number of similar
scan over time, ie rate or there is some kind of state
it kept if it does not sees ack back after syn+ack, it
deemed it as a syn scan?

please advise.
thanks inadvance.


__________________________________________________
Do You Yahoo!?
Send free SMS from your PC!
http://sg.sms.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

how snort detect port scan carl marx (Jun 20)