[Snort-users] SYN flood detection

Erek Adams erek at ...577...
Fri May 10 14:33:03 EDT 2002


On Fri, 10 May 2002, Pawel Rogocz wrote:

> Thanks for bringing this up Erek.

Just thinking outloud....  :)

> Now, I am not sure what the portscan processor really tries to do, if
> it only detects scans that are going to different ports.
> It will not detect scans going to the same port wheather they go to the
> same box or not.

Well, I can't agree with this statement.  I've got listings in my portscan.log
that clearly show this behavior.

[...snip...]

May  8 11:32:27 206.47.65.111:21 -> 10.10.10.77:21 SYN ******S*
May  8 11:32:27 206.47.65.111:21 -> 10.10.10.83:21 SYN ******S*
May  8 11:41:49 202.188.200.44:21 -> 10.10.10.66:21 SYN ******S*
May  8 11:41:49 202.188.200.44:21 -> 10.10.10.68:21 SYN ******S*
May  8 11:41:49 202.188.200.44:21 -> 10.10.10.69:21 SYN ******S*

[...snip...]

That's from two different scans, both across the same subnets.  That scan only
went to port 21 on each and every IP across my $HOME_NET.

> The change to spp_portscan.c is trivial, but as Matt pointed out,
> you will have to think what your thresholds should be....

heh...  Tuning, Retuning, and Tuning again.  And who said running an IDS isn't
like working on a car? ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list