Re: portscan question

[Matt Kettler <mkettler () evi-inc com>]

At 11:01 AM 4/28/2004, Darryl Cook wrote:

> I did some more testing and *was* able to reproduce the problem.  If you 
> put wsftp in passive mode and transfer several files in a row to the snort 
> server, it generates a false positive portscan.  Anyone know how to 
> correct this?

This isn't an unexpected result from the classic portscan preprocessor. 
It's very simple, and very stupid in it's analysis of traffic. While it is 
useful, it's very simple approach has a lot of limitations, like this one. 
That's why there are other portscan preprocessors in snort. They were 
created to improve upon spp_portscan.

You might have better luck with the more intelligent flow_portscan, which 
has a bit of a "popular service" learning behavior to it. However, it is 
more memory overhead.

Baring using a better portscan preprocessor, your best bet is to do a 
portscan_ignorehost for your FTP server, or all of your client IP's.

You can also try to reduce the time or increase the number of sessions to 
trigger an alert, but there's nothing to stop a passive ftp server from 
handing out hundreds, if not thousands, of connections per second to a 
client, all on different ports, collectively looking exactly like a 
high-speed portscan. It's all a matter of what's your expected connection rate.




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users