[Snort-users] Portscan detection questions.

Vinay A. Mahadik VAMahadik at ...6245...
Wed Jul 3 15:53:02 EDT 2002


Hi there,

I didn't find any specific answers to the following in the archives, and
hence posting these here..

1. How come there are portscan types like 'ACK scan' (wherein only the
ACK flag is set in the TCP packet) ignored by Snort? (spp_portscan and
spp_stream4). These do help in n/w mapping don't they?

2. Stream4 and portscan independently check TCP flags to detect scans..
and are ON in the default configuration. Isn't this unnecessary
duplication. Any suggestions on which is 'better' (breadth, speed wise)?

3. (Haven't checked this yet) Some of the scan.rules' rules are already
covered in the above preprocessors.. e.g. SCAN FIN.. are these
intentional redundancies?

I could be wrong.. but pls do let me know..

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list