[Snort-users] Stateful portscan detection anybody?

John Pettitt jpp at ...230...
Wed Aug 30 23:30:13 EDT 2000


I notice that portscan detection gets completely confused by domain servers 
- it's detecting DNS replies as scans - this is made worse by the fact that 
I have mailing lists running so I get flurries of DNS activity when a 
messages is sent to a list.

It seems to me that for portscan detection to be useful under such 
condition it needs to have some concept of state that allows it to ignore 
replies to requests from $HOME_NET systems.

Is anybody out there working on such a thing?

John

John Pettitt                                     Email: jpp at ...230...

"Attention spam" - The length of time it takes you to realize an email 
isn't worth reading.

PGP keys on MIT & pgp.com servers.
Fingerprint: 81B5 446D 3E0E 1CDE 5A45  644A A744 54C4 7886 3658




More information about the Snort-users mailing list