[Snort-devel] Portscan2 suggestion

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon Oct 7 09:01:09 EDT 2002


Pattern matching in a database is resource intensive, and for people
wanting to just watch for portscans, or to just list out all portscans
and watch them in real-time, it makes it much more dificiult.  I'd say
for the vast majority of people using snort what you say works
perfectly, but for those with massive amounts of data being collected
(likely some of sourcefire's customers even) this could be something
very useful.

So, what kind of ideas are you all passing around for the output system?

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, October 07, 2002 9:45 AM
To: Kreimendahl, Chad J
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Portscan2 suggestion


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Since the Source IP of portscans is recorded in the iphdr table,
> wouldn't it make sense to simplify the signature created and remove
the
> from X.X.X.X part?  Would also make management of snort easier, and
> allow for easier grouping of signatures to look for patterns.

Search for patterns on Sid/Gid if that's what you are trying to do.
>
> Another possible item.   What about storing a list of all the dest IPs
> in the data output if there's more than one?  Or, what about another
> table just to store portscan information so that so many unique sigs
> aren't created.   Certainly targets, ports, seconds should be stored
> separate of the sig..

Unfortunatley, that requires redoing the entire output system.  On the
plus side, thats in the plans.
-- 
Chris Green <cmg at ...402...>
Eschew obfuscation.




More information about the Snort-devel mailing list