[Snort-users] paranoid portscan preprocessor setup
hoagland at ...47...
Sat Jul 27 10:42:02 EDT 2002
At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
>2. I want to see an event even if only 1 port is scanned by an inbound TCP
>or UDP packet. This doesn't seem to be working. Do I need to write my own
>rule for this, or is it a configuration issue?
I'm not clear on what you want here. A 1-packet scan is difficult to
detect. If you try to do that with the portscan preprecessor (and it
succeeds) I'll be reporting essentailly all of your traffic as a scan
in which case you had just as well run tcpdump. Its domain is
currently only TCP SYNs, but look into Spade (another Snort
preprocessor) if what you want to detect is unusual packets.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users