[Snort-users] Portscan plugin

Martin Roesch roesch at ...421...
Fri Oct 6 23:41:21 EDT 2000


Joe McAlerney wrote:
> 
> > 2.  Does anyone have a better suggestion for what to do about this problem
> > I'm having?
> 
> I'm afraid not.  The portscan detector was built with the notion that
> all "odd" combinations of TCP flags are suspicious and should be
> logged.  It works great for that purpose, but unfortunately won't for
> your situation.  You may want to look into Spade to detect SYN portscans
> (they seem to be most common after all).  That way, you have some sort
> of portscan detection still available without having to use the portscan
> detection plugin itself.
> 
> Spade is available at: http://www.silicondefense.com/spice/

Actually, you can prefilter packets using the BPF interface.  BPF filtering is
applied before the packets even get into Snort, so if there's something that
you don't ever want Snort to look at you can zap it with a BPF filter.  Check
out the man page for more info on using the BPF filtering interface.

     -Marty


-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list