[Snort-users] SYN flood detection
erek at ...577...
Fri May 10 14:33:03 EDT 2002
On Fri, 10 May 2002, Pawel Rogocz wrote:
> Thanks for bringing this up Erek.
Just thinking outloud.... :)
> Now, I am not sure what the portscan processor really tries to do, if
> it only detects scans that are going to different ports.
> It will not detect scans going to the same port wheather they go to the
> same box or not.
Well, I can't agree with this statement. I've got listings in my portscan.log
that clearly show this behavior.
May 8 11:32:27 184.108.40.206:21 -> 10.10.10.77:21 SYN ******S*
May 8 11:32:27 220.127.116.11:21 -> 10.10.10.83:21 SYN ******S*
May 8 11:41:49 18.104.22.168:21 -> 10.10.10.66:21 SYN ******S*
May 8 11:41:49 22.214.171.124:21 -> 10.10.10.68:21 SYN ******S*
May 8 11:41:49 126.96.36.199:21 -> 10.10.10.69:21 SYN ******S*
That's from two different scans, both across the same subnets. That scan only
went to port 21 on each and every IP across my $HOME_NET.
> The change to spp_portscan.c is trivial, but as Matt pointed out,
> you will have to think what your thresholds should be....
heh... Tuning, Retuning, and Tuning again. And who said running an IDS isn't
like working on a car? ;-)
More information about the Snort-users