Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Dealing with portscans

From: Bilal Malik <bilalmlk92 () gmail com>
Date: Mon, 8 Oct 2012 10:41:14 -0500
Hi,

I have 3 snort sensors that are monitoring the uplink ports of three
different stacked switches. Each stacked switch has various VLANs. I am
interested in detecting malicious portscans.


The problem is, the network is so large (1000-3000 users) at peak time who
all surf the web. Most of the time, I see portscans from google (which i
assume is normal web browsing traffic) and other websites like facebook,
amazon etc. I don't want to be alerted when a user surfs legitimate
websites because thats a false positive.

Writing rules in the threshold.conf file will help me suppress that but the
problem is that there are so MANY users going to so MANY different
legitimate websites that it will be a never ending job to write rules in
threshold.conf file.


I am only interested in a portscan if it comes from an insecure public
network to my internal corporate network or from my public wifi hotspot to
my internal server network.

Lets say 10.10.0.0/16 is my public wifi network and 10.20.0.0/16 is my
internal network and 10.30.0.0/16 is my server network.

I definitely want to be alerted when someone from my public wifi network
reaches in to my internal network or server network because the server
network only provides services for the users in the internal network.

How can I tune snort to detect such portscans.

There are options to ignore_scanners [List of IPs] and ignore_scanned [List
of IPs]

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: