Snort mailing list archives
Detection of subnet scan activity
From: "Ben Carter" <BenC () dcpud org>
Date: Mon, 5 Jan 2004 15:31:05 -0800
Howdy. I love SNORT! I have been searching for a way to use SNORT to detect subnet scans, but am unable to find what I am looking for in the FAQ, Documentation or mailing list archives. I see that there is a pre-processor module that has the ability to look beyond simple packet matching rules, but it appears that this pre-processor module only detects port scans. Is there a pre-processor module to detect when a host scans for multiple /hosts/? Optimally the source host would be identified by MAC address rather than IP so that scans or attacks launched from a single station which was spoofing multiple source IP addresses (such as one of those nasty worms) could be identified. If someone could point me in the right direction (even if it is not SNORT related, or even a commercial product *gasp*, hope I don't get flamed for this) I would appreciate it greatly. My appreciation and $2.50 will get you a latte at any Starbucks in the Country ;D Thanks again! Ben Carter Network Analyst Douglas County PUD 1151 Valley mall Parkway East Wenatchee WA, 98802 Voice: (509) 884-7191 Fax: (509) 884-0553
Current thread:
- Detection of subnet scan activity Ben Carter (Jan 05)
- Re: Detection of subnet scan activity Matt Kettler (Jan 05)