Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] good settings for portscan preprocessor?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 13 Nov 2003 14:32:38 -0500
At 06:52 AM 11/13/2003, David Wilburn wrote:
I've never had any good luck with the portscan preprocessor with Snort in any network I've used it on with the default settings, regardless of my host filtering. Does anyone here have any recommendations on a good setting that they've used in a large-ish network?
By the way, I'm using the original portscan preprocessor, not portscan2, due to my using Snort in conjunction with SGUIL.
(moving this thread to snort-users where it belongs, this has absolutely nothing to do with signature development)
"large-ish" is a very relative term.. but a few years ago i used to use it with 5 2 settings on a 100-user network.
However, in a modern world neither of the portscan preprocessors are going to be effective against an intruder.. let's face it.. nmap exists, and can very easily be configured to have an extraordinarily slow rate of scan.. Even the lamest of skript kiddies can download nmap for windows and scan your network at a rate that will take him a couple weeks to complete, but who cares, he can leave it running minimized and look at the results later.
Attackers with even modest skill levels are certainly going to be using significantly better tactics than what nmap can provide out-of-the box.
Really the best you can hope for from either of the portscan preprocessors is to detect sweeps of probes from network worms trying to automatically find hosts to infect. You'll also pick up a few of the lowest-skill-level kiddies, and some spammers doing quick scans for open relay mailservers or open proxies, but you're certainly not going to pick up anyone that's any kind of threat to a reasonably well configured network.
Since you're only going to be able to detect the really reckless and loud automated attackers, I see no reason not to use really high thresholds like 100 2.
If you want to try to detect people doing slow-rate scans, a statistical deviation analysis tool like the spade add-on for snort is pretty much your best bet. Your only other hope is that you can pick them up with an attack signature when they finally do attack. 






-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: