[Snort-users] spp_portscan

Martin Roesch roesch at ...421...
Mon Oct 2 23:41:28 EDT 2000


Hi Phil,
     If the portscan threshold criteria are met, then this should be recorded
as a port scan.  It's suspicious as hell in any event... 
    The portscan preprocessor gets called before the detection plugins that
generate this alert, but since the portscan detector needs to collect packets
for some period before going off the detection rules would probably fire
first.

    -Marty

Phil Wood wrote:
> 
> Folks,
> 
> I've noticed a bunch of "source port" traffic alerts like this:
> 
> 10/02-01:03:59.170861  [**] IDS7/SourcePortTraffic-53-tcp [**] 203.80.237.141:53
>  -> my.net.snet.host:111
> 10/02-01:06:04.535359  [**] IDS7/SourcePortTraffic-53-tcp [**] 203.80.237.141:53
>  -> my.net.snet+2.host:111
> ...
> 
> in the "alert" file.
> 
> The interesting aspect about this is that the scan loops first through hosts
> (1-255) and then snet (1-255) before calculating a destination host to hit
> with the port 53 to port 111 packet.
> 
> If I were running the portscan plugin, would it see this as a scan?  Is there
> an interplay, between rules that sense "scans" (like this one), and whether
> portscan records it?  I could answer my on question, except the network that
> the portscan is looking at is different that the network in this alert.
> 
> Thanks,
> 
> Phil
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list