[Snort-users] paranoid portscan preprocessor setup
jimb at ...6373...
Sat Jul 27 13:12:06 EDT 2002
Sounds to me like you want to catch any packet to ports that arn't
allowed by your security policy, since it's obvious that you can't
determin whether a single connection to a 'allowed' dip/dport can't be
classified as a scan or legit connection easily (although a connection
that immediatly hangs up, or doesn't follow up w/ the required
handshake, etc, could be classified as a scan or probe. Not sure if
anything in Snort can look for this sort of thing.). The portscan
processor only reports a scan when a number of connections exceed a
threashold. One thing you may want to look into is Spade. It looks for
'unusual' packets to uncommon destinations and reports them. It may do
more of what you're looking for.
James Hoagland wrote:
> At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
>> 2. I want to see an event even if only 1 port is scanned by an
>> inbound TCP
>> or UDP packet. This doesn't seem to be working. Do I need to write
>> my own
>> rule for this, or is it a configuration issue?
> I'm not clear on what you want here. A 1-packet scan is difficult to
> detect. If you try to do that with the portscan preprecessor (and it
> succeeds) I'll be reporting essentailly all of your traffic as a scan
> in which case you had just as well run tcpdump. Its domain is
> currently only TCP SYNs, but look into Spade (another Snort
> preprocessor) if what you want to detect is unusual packets.
> Good luck,
More information about the Snort-users