Snort mailing list archives

Re: Portscan2, where port !=X

From: Matt Kettler <mkettler () evi-inc com>
Date: Sun, 31 Aug 2003 11:26:04 -0400

At 09:55 PM 8/30/2003 -0500, Jade E. Deane wrote:

Is it possible to ignore a scan using portscan2, where the source port
is X?

Example:
07/06/03-17:55:19.708517  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 49399 tgts: 1 ports: 60 flags: ***A**S* event_id: 108
07/06/03-17:55:20.136362  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 39705 tgts: 1 ports: 61 flags: ***A**S* event_id: 108
07/06/03-17:55:20.268826  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 49401 tgts: 1 ports: 62 flags: ***A**S* event_id: 108


Of note, are you running snort on low-end hardware?

This is the kind of false positive "syn ack" scan i was seeing when I ransnort on a p-166 with portscan2 enabled. It was dropping so many packetsthat it missed the initial syn, so it declared the syn-ack a scan.

Once I disabled portscan2 and conversation the packet drop rate fell backto a normal level. I did loose portscan2's functionality, but at leastsnort was no longer dropping 5-10% of the packets coming in so that thenormal rules would at least work.

Check your packet drop rates. If they are high, disable portscan2 andconversation or upgrade your hardware.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan2, where port !=X Jade E. Deane (Aug 30)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)
  - Re: Portscan2, where port !=X Jade E. Deane (Aug 31)
    - Re: Portscan2, where port !=X Matt Kettler (Aug 31)