[Snort-users] Portscan plugin
alambert at ...387...
Thu Oct 5 19:09:55 EDT 2000
> > 2. Does anyone have a better suggestion for what to do about this problem
> > I'm having?
> I'm afraid not. The portscan detector was built with the notion that
> all "odd" combinations of TCP flags are suspicious and should be
> logged. It works great for that purpose, but unfortunately won't for
> your situation. You may want to look into Spade to detect SYN portscans
> (they seem to be most common after all). That way, you have some sort
> of portscan detection still available without having to use the portscan
> detection plugin itself.
> Spade is available at: http://www.silicondefense.com/spice/
> -Joe M..
Thanks for the info. I'll look into spade. Right now I've just
got some ultra generic rules ($EXTERNAL any -> $INTERNAL $PORTNUMBER) to
set off alerts for any traffic to the usual ports that'll be on the top of
the list for any portscanner with hostile intentions. Sets off a bit of
chatter if anyone nmap's it, but a quick multi-alert blast during a
portscan is more acceptable than the constant chatter with the
preprocessor plugin. Should be fairly quiet too; other than me testing to
make sure my rules were working, I haven't heard a peep out of that
datacenter since. Anyhoo, I'm set good enough to leave it till tomorrow.
Thanks again, and cheers!
More information about the Snort-users