Snort mailing list archives
Re: portscan question
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 28 Apr 2004 14:51:13 -0400
At 11:01 AM 4/28/2004, Darryl Cook wrote:
I did some more testing and *was* able to reproduce the problem. If you put wsftp in passive mode and transfer several files in a row to the snort server, it generates a false positive portscan. Anyone know how to correct this?
This isn't an unexpected result from the classic portscan preprocessor. It's very simple, and very stupid in it's analysis of traffic. While it is useful, it's very simple approach has a lot of limitations, like this one. That's why there are other portscan preprocessors in snort. They were created to improve upon spp_portscan.
You might have better luck with the more intelligent flow_portscan, which has a bit of a "popular service" learning behavior to it. However, it is more memory overhead.
Baring using a better portscan preprocessor, your best bet is to do a portscan_ignorehost for your FTP server, or all of your client IP's.
You can also try to reduce the time or increase the number of sessions to trigger an alert, but there's nothing to stop a passive ftp server from handing out hundreds, if not thousands, of connections per second to a client, all on different ports, collectively looking exactly like a high-speed portscan. It's all a matter of what's your expected connection rate.
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan question Darryl Cook (Apr 28)
- Re: portscan question Darryl Cook (Apr 28)
- Re: portscan question Matt Kettler (Apr 28)
- Re: portscan question Darryl Cook (Apr 28)