mkettler at ...4108...
Thu Jun 20 09:09:12 EDT 2002
Well, first let's explain a bit about what the portscan preprocessor does.
SPP portscan is a relatively simple syn packet counter.
From the default snort conf:
preprocessor portscan: $HOME_NET 4 3 portscan.log
This means that if there are syns to 4 different port/ip combinations to
machines within HOME_NET within 3 seconds from a given host it is declared
to be a portscan.
This could easily false if:
1) HOME_NET is set to any (ouch!) and the user starts browsing the web.
2) the particular windows machine does any kind of "batch connects" to
other machines with IP addresses covered by HOME_NET. Examples might
include things like a pop client fetching mail from 4 different internal
mailservers at the same time. Some kind of database app that contacts 4
different SQL servers, etc etc etc.
You've been very non-specific about your configuration and the nature of
the alerts, but taking a wild guess I'd say you most likely have case 1, in
which case you should create a separate variable for the portscan
preprocessor to use. You really don't want to be detecting portscans to
"any" without bumping up the thresholds to levels that won't be useful in
detecting scans back to your network.
Without some more useful level of detail (ie: what ports are in the alerts?
are the destinations of the scan IPs within your network? are any of the
machines involved servers? mailservers? dns servers?) wild guesses are the
best anyone can give you.
At 08:09 AM 6/20/2002 -0400, Gregory D Hough wrote:
>I have snort listening on my gateway nic and was curious about all the
>spp_portscan alerts logged from a win box inside the network. Mulling over
>the faq's I see how to ignore this host, but would like to know WHY first.
>Can anyone offer a simple explanation as to WHY there are so many portscan
>alerts from this win box?
More information about the Snort-users