[Snort-devel] spp_portscan2 questions (Snort 1.9-dev build 147)
cmg at ...402...
Sun May 26 10:34:02 EDT 2002
"John Stroud" <bear at ...1395...> writes:
> Hi, a couple of things....
> I'm new to Snort, Snort CVS and to this list, and decided to turn to the
> list after exhausting all the net resources I could find. If these are
> newbie questions, please go easy on me... There's nothing pertinent I
> could find using google, snort.org, sourceforge, freshmeat, and the
> documentation itself.
You're on the cutting edge of playing if you're using the head branch
> First, I'm trying to configure the spp_portscan2 preprocessor in the
> latest CVS version of Snort, and can't seem to figure out how to set the
> parameters set forth in the comments contained in snort.conf -- It says:
> # Portscan2
> # Portscan 2, detect portscans in a new and exciting way.
> # Available options:
> # psnodes [num]
> # tgtnodes [num]
> # targets [num]
> # ports [num]
> # timeout [num]
> # log [logdir]
> What I've tried is this, and some variations of this....
> preprocessor spp_portscan2: timeout 5 ports 4
preprocessor spp_portscan2: timeout 5, ports 4
> ...in an effort to have it not trigger until it sees 4 scan ports in 5
> seconds. Does anyone know the correct param format for this line?
> One thing I see also, which I don't quite get, is why outbound DNS
> lookups (udp $HOME_NET any -> $EXTERNAL_NET 53) are being captured?
> #0-(3-19) [snortDB] spp_portscan2: Portscan detected 2002-05-26 03:00:12
> 18.104.22.168:32887 22.214.171.124:53 UDP
Lots of queries to the same server. There needs to be better tuning
> Lastly, and somewhat off topic, (ok, this is three things - I lied...) I
> am seeing hundreds of inbound syn packets per hour to tcp port 6633,
> originating from dozens of hosts around the globe. Anyone have any info
> on this?
> I can find no correlation to anything originating from my network to
> the seemingly randomly-originated and continuous inbound stream.
> Again, I can find nothing on the net regarding this traffic pattern.
> John Stroud
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Chris Green <cmg at ...402...>
A good pun is its own reword.
More information about the Snort-devel