RE: RE: flow-portscan really suitable ???

["Douglas McCrea" <dmccrea () rutgers edu>]

You need to have conversation segment available as well from the
original snort.conf.

-Doug

-----Original Message-----
From: BIZOU [mailto:bizou () voila fr] 
Sent: Thursday, March 04, 2004 11:50 AM
To: snort-users () lists sourceforge net
Subject: Re: RE: [Snort-users] flow-portscan really suitable ???


Well, i'd like to use portscan2 again, but when i try to use it in the
config and disable flow-portscan, i receive a segfault just when snort
try to load conversation/portscan2. And i've seen somewhere else that
portscan2 was disabled since 2.1.1 (although it is still present in
src/preprocessor/). Can you confirm if it's really still available ? and
in this case, is there a special statement to insert in the config ?
Thanks




> You can still use Portscan2 thankfully by just copying back the 
> sections from an old config. I have to agree here about flow-portscan.

> Portscan2 works nicely for me an rarely shows false positives. I still

> haven't seen anything from flow-portscan besides false positives and 
> considering
> that- even when it shows the false positives, it doesn't report any
> useful data (with msg or pktkludge). I've also only seen responses
from
> people saying, "Use pktkludge, it's in the documentation." Well, I
have,
> and it still doesn't produce any useful data anywhere that I can see
no
> matter what settings I put for anything. 
>
> My question is this... Is anyone using flow-portscan effectively and 
> getting results such that you can see that a system is scanning your 
> hosts for port 25, etc.? If so, can you post your settings for this? 
> Neither myself nor my colleagues who have used Snort for years have 
> been able to get this to work at all. We are all concerned that 
> portscan2 will be removed, and then we will no longer be able to see 
> any scanning activity using Snort.
>
> -Doug
>
> -----Original Message-----
> From: BIZOU [mailto:bizou () voila fr]
> Sent: Thursday, March 04, 2004 11:10 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] flow-portscan really suitable ???
>
>
> Hi,
>
> I've been working on snort 2.1.1 for a few days. I was previously with

> snort 2.0.5. I had to change my portscan2 configuration into 
> flow-portscan and ... well i dislike it Indeed, i tuned my portscan2 
> preprocessor with scanner-max 256, target_max 1024, target_limit 30, 
> port_limit 40, timeout 40 and it was quite fine. I used 
> portscan2-ignorehost and ignore-port too. I catched MydoomB scans, 
> Blaster.C or B (don't remember) scans, nmap scan.... Now with 
> flow-portscan, i have nothing except flase positive scans I'm managing

> 6 NIDS in a wide environment so i cannot define a HOME_NET or wathever

> defined variable
>
> When i watched at my prelude reporting GUI this morning (i use a 
> prelude framework for alerting) i only saw false scan alerts. I tried 
> to configure flow-portscan in several way, i cannot succeed in having 
> correct results
>
> So please,
> 1 - tell me that it wil be possible again to use portscan2 in future
> releases 2 - Tell me a way to configure correctly and simply
> flow-portscan (without a learning time ) 3 - Tell me a way to add
> flow-portscan ignore port from 4 - Tell me that destination port will
be
> present in pktkludge soon
>
>
> ------------------------------------------
>
> Faites un voeu et puis Voila ! www.voila.fr
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of 
> GenToo technologies. Learn everything from fundamentals to system 
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<<winmail.dat>>