[Snort-users] Re: [Snort-devel] About distributed portscans

James Hoagland hoagland at ...47...
Thu Oct 18 14:35:20 EDT 2001


At 3:54 PM +0530 10/16/01, Mamata Desai wrote:
>Hello all,
>
>I am a graduate student and as part of my final project, was thinking of
>implementing a distributed portscan detector. I believe snort portscan
>detector detects one->one and one->many portscans, and there is work
>going on to build the many->one and the many->many modules.
>
>I would like to work on something like that. Could anybody provide me
>with some guidance/suggestions as to how I should proceed ? I wud like
>to know what are the 'to do's in this area, so that I can focus my work
>efforts and help contribute in some way.

Mamata,

You might want read the paper "Practical Automated Detection of 
Stealthy Portscans", linked to here:

   http://www.silicondefense.com/research/pubs.htm

This discusses Spice, developed at Silicon Defense.  Spice can detect 
many->many and rather slow scans.

Best regards,

   Jim

-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-users mailing list