Snort mailing list archives
Is this claim still true for portscan detection in Snort ?
From: sashank <sashankdvk () yahoo com>
Date: Sun, 7 Sep 2014 23:17:51 -0700
Hi , This paper[1] talks about a "fast port scan detection engine" and the technique is popularly known as a Threshold Random Walking(TRW). They claim that Snort's approach has "the drawback that once the window size is known it is easy for attackers to evade detection by simply increasing their scanning interval." Now this paper is 10 years old and talks about Snort 2.0.2. There have been many recent advances in port scan detection like TRW and BLR implemented in [2]. I see that the portscan detection technology has matured a lot . What is the latest on Snort's port scan detection technology? I see that at least the documentation of port scanning is not touched since 2004. Am not sure of the code. Regards, Sashank 1. Jung, Jaeyeon, et al. "Fast portscan detection using sequential hypothesis testing." Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on. IEEE, 2004. 2. https://tools.netsa.cert.org/silk/rwscan.htm
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Is this claim still true for portscan detection in Snort ? sashank (Sep 07)