[Snort-users] spp_portscan

Fyodor fygrave at ...121...
Mon Oct 2 21:07:49 EDT 2000


~ :The interesting aspect about this is that the scan loops first through hosts
~ :(1-255) and then snet (1-255) before calculating a destination host to hit
~ :with the port 53 to port 111 packet.
~ :
~ :If I were running the portscan plugin, would it see this as a scan?  Is there
~ :an interplay, between rules that sense "scans" (like this one), and whether
~ :portscan records it?  I could answer my on question, except the network that
~ :the portscan is looking at is different that the network in this alert.

 if network which portscan is monitoring is different from the target in
the alert, portscan plugin will not do anything about it. There's no
reationship between detection engine (which actually applies the
rules) and preprocessor.




More information about the Snort-users mailing list