[Snort-devel] Portscan2 suggestion

Chris Green cmg at ...402...
Mon Oct 7 07:47:03 EDT 2002


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Since the Source IP of portscans is recorded in the iphdr table,
> wouldn't it make sense to simplify the signature created and remove the
> from X.X.X.X part?  Would also make management of snort easier, and
> allow for easier grouping of signatures to look for patterns.

Search for patterns on Sid/Gid if that's what you are trying to do.
>
> Another possible item.   What about storing a list of all the dest IPs
> in the data output if there's more than one?  Or, what about another
> table just to store portscan information so that so many unique sigs
> aren't created.   Certainly targets, ports, seconds should be stored
> separate of the sig..

Unfortunatley, that requires redoing the entire output system.  On the
plus side, thats in the plans.
-- 
Chris Green <cmg at ...402...>
Eschew obfuscation.




More information about the Snort-devel mailing list