[Snort-users] Detecting benchmarks
erek at ...577...
Fri May 10 12:00:03 EDT 2002
On Fri, 10 May 2002, Pawel Rogocz wrote:
> I did some more testing using hping2.
> If I run hping -p 80 -i u3000 -S MYIP
> it will send 300 SYN pkts/sec to the same port (80),
> but snort will not say a word. Only after I start hitting ^Z
> which changes the destination port, spp_portscan will notice something is
> going on :-(
Sorry for the delay, bit o' router trouble yesterday....
Anyways... Yes, you're right. spp_portscan looks for ports across
machines, not the same port over and over to the same machine. If the machine
or port changes, it will be logged as a scan.
More information about the Snort-users