[Snort-devel] Portscan2 suggestion
cmg at ...402...
Mon Oct 7 07:47:03 EDT 2002
"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:
> Since the Source IP of portscans is recorded in the iphdr table,
> wouldn't it make sense to simplify the signature created and remove the
> from X.X.X.X part? Would also make management of snort easier, and
> allow for easier grouping of signatures to look for patterns.
Search for patterns on Sid/Gid if that's what you are trying to do.
> Another possible item. What about storing a list of all the dest IPs
> in the data output if there's more than one? Or, what about another
> table just to store portscan information so that so many unique sigs
> aren't created. Certainly targets, ports, seconds should be stored
> separate of the sig..
Unfortunatley, that requires redoing the entire output system. On the
plus side, thats in the plans.
Chris Green <cmg at ...402...>
More information about the Snort-devel