[Snort-users] [spp_portscan]

Matt Kettler mkettler at ...4108...
Thu Jun 20 09:09:12 EDT 2002

Well, first let's explain a bit about what the portscan preprocessor does.

SPP portscan is a relatively simple syn packet counter.

 From the default snort conf:

preprocessor portscan: $HOME_NET 4 3 portscan.log

This means that if there are syns to 4 different port/ip combinations to 
machines within HOME_NET within 3 seconds from a given host it is declared 
to be a portscan.

This could easily false if:

1) HOME_NET is set to any (ouch!) and the user starts browsing the web.

2) the particular windows machine does any kind of "batch connects" to 
other machines with IP addresses covered by HOME_NET. Examples might 
include things like a pop client fetching mail from 4 different internal 
mailservers at the same time. Some kind of database app that contacts 4 
different SQL servers, etc etc etc.

You've been very non-specific about your configuration and the nature of 
the alerts, but taking a wild guess I'd say you most likely have case 1, in 
which case you should create a separate variable for the portscan 
preprocessor to use. You really don't want to be detecting portscans to 
"any" without bumping up the thresholds to levels that won't be useful in 
detecting scans back to your network.

Without some more useful level of detail (ie: what ports are in the alerts? 
are the destinations of the scan IPs within your network? are any of the 
machines involved servers? mailservers? dns servers?) wild guesses are the 
best anyone can give you.

At 08:09 AM 6/20/2002 -0400, Gregory D Hough wrote:
>Greetings group,
>I have snort listening on my gateway nic and was curious about all the
>spp_portscan alerts logged from a win box inside the network. Mulling over
>the faq's I see how to ignore this host, but would like to know WHY first.
>Can anyone offer a simple explanation as to WHY there are so many portscan
>alerts from this win box?

More information about the Snort-users mailing list