[Snort-devel] spp_portscan2 questions (Snort 1.9-dev build 147)

John Stroud bear at ...1395...
Sun May 26 03:53:01 EDT 2002


Hi, a couple of things....

I'm new to Snort, Snort CVS and to this list, and decided to turn to the
list after exhausting all the net resources I could find.  If these are
newbie questions, please go easy on me...  There's nothing pertinent I
could find using google, snort.org, sourceforge, freshmeat, and the
documentation itself.

First, I'm trying to configure the spp_portscan2 preprocessor in the
latest CVS version of Snort, and can't seem to figure out how to set the
parameters set forth in the comments contained in snort.conf -- It says:

# Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.
#
# Available options:
#       psnodes [num]
#       tgtnodes [num]
#       targets [num]
#       ports [num]
#       timeout [num]
#       log [logdir]

What I've tried is this, and some variations of this....

preprocessor spp_portscan2: timeout 5 ports 4

...in an effort to have it not trigger until it sees 4 scan ports in 5
seconds.  Does anyone know the correct param format for this line?

One thing I see also, which I don't quite get, is why outbound DNS
lookups (udp $HOME_NET any -> $EXTERNAL_NET 53) are being captured?

---------------
#0-(3-19) [snortDB] spp_portscan2: Portscan detected 2002-05-26 03:00:12
64.133.238.107:32887 207.183.156.9:53 UDP 
---------------

Lastly, and somewhat off topic, (ok, this is three things - I lied...) I
am seeing hundreds of inbound syn packets per hour to tcp port 6633,
originating from dozens of hosts around the globe.  Anyone have any info
on this?  I can find no correlation to anything originating from my
network to the seemingly randomly-originated and continuous inbound
stream.  Again, I can find nothing on the net regarding this traffic
pattern.

Thanks,
John Stroud





More information about the Snort-devel mailing list