Re: Detection of subnet scan activity

[Matt Kettler <mkettler () evi-inc com>]

At 06:31 PM 1/5/2004, Ben Carter wrote:
> I love SNORT! I have been searching for a way to use SNORT to detect 
> subnet scans, but am unable to find what I am looking for in the FAQ, 
> Documentation or mailing list archives. I see that there is a 
> pre-processor module that has the ability to look beyond simple packet 
> matching rules, but it appears that this pre-processor module only detects 
> port scans. Is there a pre-processor module to detect when a host scans 
> for multiple /hosts/? Optimally the source host would be identified by MAC 
> address rather than IP so that scans or attacks launched from a single 
> station which was spoofing multiple source IP addresses (such as one of 
> those nasty worms) could be identified.

The old-fashioned spp_portscan can do multiple hosts OR multiple ports.

Note: do not confuse spp-portscan with spp-portscan2 or the flow-portscan 
tools. All three are different beasties.


I'm not sure, but I suspect flow-portscan will also detect subnet scans, 
not just portscans of a single box. 



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users