Question about 'TCP distributed portscan' signature

[soc soc via Snort-users <snort-users () lists snort org>]

Hello Everyone,

First of all, I wanted to say that we are new to snort and to any IDS for
that matter. We are trying to setup this on our environment, running
snort+pulledpork+barnyard2+mysql+snorby.  We are in the step of tuning the
scan pre processor to reduce many of the false positives we are receiving
and I wanted to ask a question about distributed portscans, if anyone could
help, it would be very much appreciated.

We are seeing multiple "distributed portscan alerts" on our snort for the
same source and destination, by reading the README.sfcpreprocessor, we
understand this is a "These are many->one portscans".
This is the only scan we left configured on our snort.conf file, for the
scanning part at least.

But when looking at the alert, we see this:



Priority.Count:.15.Connection.Count:.20.IP.Count:.1.Scanner.IP.Range:.10.70.165.242:10.70.165.242.Port/Proto.Count:.20.Port/Proto.Range:.22:31337.



[image: Imágenes integradas 1]


We did query the database where the alerts are being stored, and there was
just one alert generated for this event, but all it says is it was
triggered for source 10.70.165.242 to 10.70.128.82. As we understand, this
should only be generated if the scan was done from multiple hosts to a
single destination host, is this correct? the only ip in the alert is
source 10.70.165.242.

Is there a way to check why could this be generated?

if there is any other info I can provide please let me know.

Thanks in advance

agustin

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!