[Snort-users] verbose spp_portscan logging.

Joe McAlerney joey at ...155...
Fri Sep 22 12:13:43 EDT 2000


Hi Joseph,

Joseph Nicholas Yarbrough wrote:
> 
> Hello,
> 
> I can't seem to find anything in the source for spp_portscan to allow verbose
> logging. We want to put in the hosts being scanned and what ports. 

Are you looking in the right place?  The alert file will notify you of a
scan, but the place where the spp_portscan logs to has all that
information.  That is defined in your rules file.  Most default to
/var/log/portscan.log.

> Also, is it
> possible that a lot of udp traffic will trigger a upd portscan alert? or is the
> ip portion what spp_portscan is responding to?

It looks for TCP SYN and UDP packets, as well as "Stealth" packets
(i.e., unnatural combinations of the TCP flags - SF, UAPRSF, etc.)  In
our experience, UDP packets set it off most often with DNS traffic and
game machine traffic.  You just have to configure your threshold and
decide what hosts (if any) you want to put on the portscan-ignorehosts
list.

-Joe M.



More information about the Snort-users mailing list