[Snort-users] SYN flood detection

Erek Adams erek at ...577...
Fri May 10 14:33:03 EDT 2002

On Fri, 10 May 2002, Pawel Rogocz wrote:

> Thanks for bringing this up Erek.

Just thinking outloud....  :)

> Now, I am not sure what the portscan processor really tries to do, if
> it only detects scans that are going to different ports.
> It will not detect scans going to the same port wheather they go to the
> same box or not.

Well, I can't agree with this statement.  I've got listings in my portscan.log
that clearly show this behavior.


May  8 11:32:27 -> SYN ******S*
May  8 11:32:27 -> SYN ******S*
May  8 11:41:49 -> SYN ******S*
May  8 11:41:49 -> SYN ******S*
May  8 11:41:49 -> SYN ******S*


That's from two different scans, both across the same subnets.  That scan only
went to port 21 on each and every IP across my $HOME_NET.

> The change to spp_portscan.c is trivial, but as Matt pointed out,
> you will have to think what your thresholds should be....

heh...  Tuning, Retuning, and Tuning again.  And who said running an IDS isn't
like working on a car? ;-)

Erek Adams

More information about the Snort-users mailing list