Detection of subnet scan activity

["Ben Carter" <BenC () dcpud org>]

Howdy. 

I love SNORT! I have been searching for a way to use SNORT to detect
subnet scans, but am unable to find what I am looking for in the FAQ,
Documentation or mailing list archives. I see that there is a
pre-processor module that has the ability to look beyond simple packet
matching rules, but it appears that this pre-processor module only
detects port scans. Is there a pre-processor module to detect when a
host scans for multiple /hosts/? Optimally the source host would be
identified by MAC address rather than IP so that scans or attacks
launched from a single station which was spoofing multiple source IP
addresses (such as one of those nasty worms) could be identified. 

 

If someone could point me in the right direction (even if it is not
SNORT related, or even a commercial product *gasp*, hope I don't get
flamed for this) I would appreciate it greatly. My appreciation and
$2.50 will get you a latte at any Starbucks in the Country ;D

 

Thanks again!

 

Ben Carter

Network Analyst

Douglas County PUD

1151 Valley mall Parkway

East Wenatchee WA, 98802

Voice: (509) 884-7191

Fax:    (509) 884-0553