[Snort-users] detecting outgoing portscans

Andrew Daviel andrew at ...523...
Fri Oct 12 10:51:10 EDT 2001

In the wake of NIMDA, when we had a supposedly patched machine infected,
I thought I'd try to enable the portscan preprocessor (Snort 1.7)
on everything. I initially tried to have two portscan entries, with
different logfiles and different thresholds, but that doesn't work.

If I have a threshold of 30 or so, as for detecting real inbound scans, I
get a lot of bogus outbound scans from people websurfing. I *think* that
SNort registers a SYN scan if a user aborts a page load in a browser, as
for instance clicking a link before all the images have loaded. I've seen
190 SYN alerts in a couple of hours from someone using a search engine.

Is there any way to treat this as "normal" , perhaps if an unacked SYN
follows one or more acked packets ? Otherwise I guess I set a threshold in
a postprocessor higher, like 500. I'd like to catch outbound scanning or
worm activity for which I don't have a pattern, either because I'm lazy or
where one hasn't been written yet.

I'd found I was getting way too many false positives from the regular
Snort pattern matching to bother investigating. Again, I suppose I can set
a postprocessor to trigger on 500 outbound alerts or something.

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...

More information about the Snort-users mailing list