[Snort-devel] spp_portscan2 questions (Snort 1.9-dev build 147)

Chris Green cmg at ...402...
Sun May 26 10:34:02 EDT 2002


"John Stroud" <bear at ...1395...> writes:

> Hi, a couple of things....
>
> I'm new to Snort, Snort CVS and to this list, and decided to turn to the
> list after exhausting all the net resources I could find.  If these are
> newbie questions, please go easy on me...  There's nothing pertinent I
> could find using google, snort.org, sourceforge, freshmeat, and the
> documentation itself.

You're on the cutting edge of playing if you're using the head branch
in CVS.

>
>
> First, I'm trying to configure the spp_portscan2 preprocessor in the
> latest CVS version of Snort, and can't seem to figure out how to set the
> parameters set forth in the comments contained in snort.conf -- It says:
>
> # Portscan2
> #-------------------------------------------
> # Portscan 2, detect portscans in a new and exciting way.
> #
> # Available options:
> #       psnodes [num]
> #       tgtnodes [num]
> #       targets [num]
> #       ports [num]
> #       timeout [num]
> #       log [logdir]
>
> What I've tried is this, and some variations of this....
>
> preprocessor spp_portscan2: timeout 5 ports 4

preprocessor spp_portscan2: timeout 5, ports 4

>
> ...in an effort to have it not trigger until it sees 4 scan ports in 5
> seconds.  Does anyone know the correct param format for this line?
>
> One thing I see also, which I don't quite get, is why outbound DNS
> lookups (udp $HOME_NET any -> $EXTERNAL_NET 53) are being captured?
>
> ---------------
> #0-(3-19) [snortDB] spp_portscan2: Portscan detected 2002-05-26 03:00:12
> 64.133.238.107:32887 207.183.156.9:53 UDP

Lots of queries to the same server. There needs to be better tuning
for this.  

> ---------------
>
> Lastly, and somewhat off topic, (ok, this is three things - I lied...) I
> am seeing hundreds of inbound syn packets per hour to tcp port 6633,
> originating from dozens of hosts around the globe.  Anyone have any info
> on this?  

No idea.

> I can find no correlation to anything originating from my network to
> the seemingly randomly-originated and continuous inbound stream.
> Again, I can find nothing on the net regarding this traffic pattern.
>
> Thanks,
> John Stroud
>
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
Chris Green <cmg at ...402...>
A good pun is its own reword.





More information about the Snort-devel mailing list