[Snort-users] paranoid portscan preprocessor setup

Jim Burwell jimb at ...6373...
Sat Jul 27 13:12:06 EDT 2002

Sounds to me like you want to catch any packet to ports that arn't 
allowed by your security policy, since it's obvious that you can't 
determin whether a single connection to a 'allowed' dip/dport can't be 
classified as a scan or legit connection easily (although a connection 
that immediatly hangs up, or doesn't follow up w/ the required 
handshake, etc, could be classified as a scan or probe.  Not sure if 
anything in Snort can look for this sort of thing.).  The portscan 
processor only reports a scan when a number of connections exceed a 
threashold.  One thing you may want to look into is Spade.  It looks for 
'unusual' packets to uncommon destinations and reports them.  It may do 
more of what you're looking for.

- Jim

James Hoagland wrote:

> At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
>> 2.  I want to see an event even if only 1 port is scanned by an 
>> inbound TCP
>> or UDP packet.  This doesn't seem to be working.  Do I need to write 
>> my own
>> rule for this, or is it a configuration issue?
> I'm not clear on what you want here.  A 1-packet scan is difficult to 
> detect.  If you try to do that with the portscan preprecessor (and it 
> succeeds) I'll be reporting essentailly all of your traffic as a scan 
> in which case you had just as well run tcpdump.  Its domain is 
> currently only TCP SYNs, but look into Spade (another Snort 
> preprocessor) if what you want to detect is unusual packets.
> Good luck,
>   Jim

More information about the Snort-users mailing list