[Snort-users] Detecting benchmarks

Erek Adams erek at ...577...
Fri May 10 12:00:03 EDT 2002


On Fri, 10 May 2002, Pawel Rogocz wrote:

> I did some more testing using hping2.
> If I run hping -p 80 -i u3000 -S MYIP
> it will send 300 SYN pkts/sec to the same port (80),
> but snort will not say a word. Only after I start hitting ^Z
> which changes the destination port, spp_portscan will notice something is
> going on :-(

Pawel,

	Sorry for the delay, bit o' router trouble yesterday....

	Anyways...  Yes, you're right.  spp_portscan looks for ports across
machines, not the same port over and over to the same machine.  If the machine
or port changes, it will be logged as a scan.

	Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list