[Snort-users] paranoid portscan preprocessor setup

James Hoagland hoagland at ...47...
Sat Jul 27 10:42:02 EDT 2002

At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
>2.  I want to see an event even if only 1 port is scanned by an inbound TCP
>or UDP packet.  This doesn't seem to be working.  Do I need to write my own
>rule for this, or is it a configuration issue?

I'm not clear on what you want here.  A 1-packet scan is difficult to 
detect.  If you try to do that with the portscan preprecessor (and it 
succeeds) I'll be reporting essentailly all of your traffic as a scan 
in which case you had just as well run tcpdump.  Its domain is 
currently only TCP SYNs, but look into Spade (another Snort 
preprocessor) if what you want to detect is unusual packets.

Good luck,


|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list