Re: False positives with UDP Portscan PROTO255

[Jeremy Hewlett <jh () sourcefire com>]

On Sat, Mar 05, Mike Lieberman wrote:
>       The black hats are without a doubt aware of this, but a portscan
> that can't distinguish normal traffic from abnormal traffic is of no more

How do you define abnormal traffic? Traffic you've never seen before?
Traffic which is crafted? 

>       If I am getting 999 false positives to one true positive, what's the
> likelihood that I would catch the 'true' one? 

As Jeff Kell stated, what you're experiencing is the definition of a
portscan. We've gone through some lengths with TCP to weed out false
positives, but UDP is more difficult.

What methods have you tried in tuning the portscan preprocessor?
There's a section in the README.sfportscan that details some thoughts
on tuning this.

>       With all respect to those who write and maintain the rules, I don't
> find this rule helpful and will seek to exclude port 53. IMHO we need a more
> sophisticated tool in this regard. 

This is the first release of sfPortscan, and thus has just begun its
life cycle. I'm open to ideas in ways to make it better. Anyone is
welcome to send me ideas, patches, start discussions, etc...




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users