[Snort-users] Portscan plugin

A.L.Lambert alambert at ...387...
Thu Oct 5 19:09:55 EDT 2000


<SNIP>
> > 2.  Does anyone have a better suggestion for what to do about this problem
> > I'm having?
> 
> I'm afraid not.  The portscan detector was built with the notion that
> all "odd" combinations of TCP flags are suspicious and should be
> logged.  It works great for that purpose, but unfortunately won't for
> your situation.  You may want to look into Spade to detect SYN portscans
> (they seem to be most common after all).  That way, you have some sort
> of portscan detection still available without having to use the portscan
> detection plugin itself.
> 
> Spade is available at: http://www.silicondefense.com/spice/
> 
> -Joe M..

	Thanks for the info.  I'll look into spade.  Right now I've just
got some ultra generic rules ($EXTERNAL any -> $INTERNAL $PORTNUMBER) to
set off alerts for any traffic to the usual ports that'll be on the top of
the list for any portscanner with hostile intentions.  Sets off a bit of
chatter if anyone nmap's it, but a quick multi-alert blast during a
portscan is more acceptable than the constant chatter with the
preprocessor plugin.  Should be fairly quiet too; other than me testing to
make sure my rules were working, I haven't heard a peep out of that
datacenter since.  Anyhoo, I'm set good enough to leave it till tomorrow.  
Thanks again, and cheers!

-- A.L.Lambert





More information about the Snort-users mailing list