[Snort-users] Stateful portscan detection anybody?
jpp at ...230...
Wed Aug 30 23:30:13 EDT 2000
I notice that portscan detection gets completely confused by domain servers
- it's detecting DNS replies as scans - this is made worse by the fact that
I have mailing lists running so I get flurries of DNS activity when a
messages is sent to a list.
It seems to me that for portscan detection to be useful under such
condition it needs to have some concept of state that allows it to ignore
replies to requests from $HOME_NET systems.
Is anybody out there working on such a thing?
John Pettitt Email: jpp at ...230...
"Attention spam" - The length of time it takes you to realize an email
isn't worth reading.
PGP keys on MIT & pgp.com servers.
Fingerprint: 81B5 446D 3E0E 1CDE 5A45 644A A744 54C4 7886 3658
More information about the Snort-users