[Snort-users] Re: [Snort-devel] About distributed portscans
hoagland at ...47...
Thu Oct 18 14:35:20 EDT 2001
At 3:54 PM +0530 10/16/01, Mamata Desai wrote:
>I am a graduate student and as part of my final project, was thinking of
>implementing a distributed portscan detector. I believe snort portscan
>detector detects one->one and one->many portscans, and there is work
>going on to build the many->one and the many->many modules.
>I would like to work on something like that. Could anybody provide me
>with some guidance/suggestions as to how I should proceed ? I wud like
>to know what are the 'to do's in this area, so that I can focus my work
>efforts and help contribute in some way.
You might want read the paper "Practical Automated Detection of
Stealthy Portscans", linked to here:
This discusses Spice, developed at Silicon Defense. Spice can detect
many->many and rather slow scans.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Silicon Defense - Technical Support for Snort *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users