Is this claim still true for portscan detection in Snort ?

[sashank <sashankdvk () yahoo com>]

Hi ,

This paper[1] talks about a "fast port scan detection engine" and the technique is popularly known as a Threshold 
Random Walking(TRW). 


They claim that Snort's approach has "the drawback that once the window
size is known it is easy for attackers to evade detection by
simply increasing their scanning interval."  


Now this paper is 10 years old and talks about Snort 2.0.2. There have been many recent advances in port scan detection 
like TRW and BLR implemented in [2].

I see that the portscan detection technology has matured a lot . 

What is the latest on Snort's port scan detection technology?  I see that at least the documentation of port scanning 
is not touched since 2004. Am not sure of the code.


Regards,
Sashank



        1. Jung, Jaeyeon, et al. "Fast portscan detection using sequential hypothesis testing." Security and Privacy, 
2004. Proceedings. 2004 IEEE Symposium on. IEEE, 2004.
        2. https://tools.netsa.cert.org/silk/rwscan.htm

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!