[Snort-devel] spp_portscan2 questions (Snort 1.9-dev build 147)
bear at ...1395...
Sun May 26 03:53:01 EDT 2002
Hi, a couple of things....
I'm new to Snort, Snort CVS and to this list, and decided to turn to the
list after exhausting all the net resources I could find. If these are
newbie questions, please go easy on me... There's nothing pertinent I
could find using google, snort.org, sourceforge, freshmeat, and the
First, I'm trying to configure the spp_portscan2 preprocessor in the
latest CVS version of Snort, and can't seem to figure out how to set the
parameters set forth in the comments contained in snort.conf -- It says:
# Portscan 2, detect portscans in a new and exciting way.
# Available options:
# psnodes [num]
# tgtnodes [num]
# targets [num]
# ports [num]
# timeout [num]
# log [logdir]
What I've tried is this, and some variations of this....
preprocessor spp_portscan2: timeout 5 ports 4
...in an effort to have it not trigger until it sees 4 scan ports in 5
seconds. Does anyone know the correct param format for this line?
One thing I see also, which I don't quite get, is why outbound DNS
lookups (udp $HOME_NET any -> $EXTERNAL_NET 53) are being captured?
#0-(3-19) [snortDB] spp_portscan2: Portscan detected 2002-05-26 03:00:12
126.96.36.199:32887 188.8.131.52:53 UDP
Lastly, and somewhat off topic, (ok, this is three things - I lied...) I
am seeing hundreds of inbound syn packets per hour to tcp port 6633,
originating from dozens of hosts around the globe. Anyone have any info
on this? I can find no correlation to anything originating from my
network to the seemingly randomly-originated and continuous inbound
stream. Again, I can find nothing on the net regarding this traffic
More information about the Snort-devel