Snort mailing list archives
Flow-portscan oddity
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Mon, 12 Apr 2004 16:20:32 -0500
Using the default configuration for flow and flow portscan... And
testing it on an external interface... We're seeing absolutely no alerts
triggered. I've attempted using many output mechanisms, hoping that it
wasn't the method we were using, and the results are the same. I'm
100% positive there were several scans happening on this same interface,
as I ran portscan2 at the same time with a different snort, on the same
interface. Many noisy ugly alerts from portscan2... Nothing from
flow-portscan.
The config:
preprocessor flow: hash 2
preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
server-watchnet [somesubnet] \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 14400 \
server-scanner-limit 4 \
scanner-sliding-window 20 \
scanner-sliding-scale-factor 0.50 \
scanner-fixed-threshold 15 \
scanner-sliding-threshold 40 \
scanner-fixed-window 15 \
scoreboard-rows-scanner 30000 \
alert-mode once \
output-mode msg \
tcp-penalties on
The scans:
Nmap -O
Nmap -sT (entire subnet on interface) -p 1-1024
Nmap -sU (entire subnet on interface)
Normally this interface is extremely noisy when portscan watches it...
So it was interesting to see how quiet flow-portscan was after some of
the complaints of noise I'd seen.
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flow-portscan oddity Kreimendahl, Chad J (Apr 12)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 13)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- <Possible follow-ups>
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Douglas McCrea (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 13)
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 14)
- RE: Flow-portscan oddity Dusty Hall (Apr 14)
- RE: Flow-portscan oddity Douglas McCrea (Apr 14)
(Thread continues...)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)