[Snort-users] DNS, portscan, & laptops

Andrew Daviel andrew at ...523...
Mon Jun 18 19:45:04 EDT 2001


On Mon, 18 Jun 2001, Brian Caswell wrote:

> Never never never never do anything but wave big red flags at yourself
> automagicly.  Computers are smart, but computers don't know politics.
> Heck, people don't know politics.  Why should computers know any
> better?

Well, yes, but I believe that most (all?) of the wide port scans I see are
real and either represenent a compromised machine or a worm, and as such
should be reported quickly and hopefully fixed. I was getting fed up doing
it by hand. This isn't "someone poked port 80 on my PC", but "someone did
a SYN scan for DNS to 13,000 consecutive addresses".

This particular case, I admit, wasn't that but "someone probed 900 UDP
ports on our machine", and if I have more false alerts from portscanning
on single addresses I may drop single address reports.

Ideally of course I would like 0% false alerts and 100% success in
notification. Currently I'm probably running about 1% false alerts and
50% success in notification.

The wider question is, I suppose, what should we report, to whom, and how
quickly. Aside from after-the-fact forensics, if I don't report anything
to anyone I might as well not bother collecting IDS data.
I don't myself particularly care if some kid out there is using his own PC
to scan our address space, but I suspect that if he's broken into
someone elses computer and is using that, that they would indeed care,
and I think that automatic reporting is better than nothing for trying to
tell them.

Andrew Daviel
TRIUMF






More information about the Snort-users mailing list