Snort mailing list archives
Dealing with portscans
From: Bilal Malik <bilalmlk92 () gmail com>
Date: Mon, 8 Oct 2012 10:41:14 -0500
Hi, I have 3 snort sensors that are monitoring the uplink ports of three different stacked switches. Each stacked switch has various VLANs. I am interested in detecting malicious portscans. The problem is, the network is so large (1000-3000 users) at peak time who all surf the web. Most of the time, I see portscans from google (which i assume is normal web browsing traffic) and other websites like facebook, amazon etc. I don't want to be alerted when a user surfs legitimate websites because thats a false positive. Writing rules in the threshold.conf file will help me suppress that but the problem is that there are so MANY users going to so MANY different legitimate websites that it will be a never ending job to write rules in threshold.conf file. I am only interested in a portscan if it comes from an insecure public network to my internal corporate network or from my public wifi hotspot to my internal server network. Lets say 10.10.0.0/16 is my public wifi network and 10.20.0.0/16 is my internal network and 10.30.0.0/16 is my server network. I definitely want to be alerted when someone from my public wifi network reaches in to my internal network or server network because the server network only provides services for the users in the internal network. How can I tune snort to detect such portscans. There are options to ignore_scanners [List of IPs] and ignore_scanned [List of IPs]
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Dealing with portscans Bilal Malik (Oct 08)