[Snort-users] portscan2 effectiveness.
mkettler at ...4108...
Tue Apr 29 17:25:09 EDT 2003
At 04:16 PM 4/29/2003 -0700, Skip Carter wrote:
> > >I've only heard of one person who gets decent results with it (I think
> > >that's Erek) and that person admits their network is "not typical".
> > Hmmm. Maybe there's two of us now .... ;-)
> It would seem that those of use using it have not had much reason to
>speak up. I haven't had too much problem with it either.
Interesting. Good to hear that some people are getting good results from
it. I checked my mailbox archive, I've asked several times, and Erek's the
only person that ever indicated it worked.
Here's some of my pointed criticisms of the portscan2 preprocessor on the
list over the past few months.
Thu, 20 Mar 2003 17:55:32 -0500 Re: [Snort-users]
portscan2-ignoreports...anyone get it to work???
"I don't know, but if you ever hear of anyone that's ever been able to do
anything useful with spp_portscan2, let me know.."
Mon, 24 Mar 2003 20:22:44 -0500 Re: [Snort-users] portscan and portscan2
"That said, I've had such horrible experiences with portscan2 that I'm
surprised that the snort-devels haven't scrapped it completely and removed
it from the code, although Erek seems to have good results from it.."
Wed, 23 Apr 2003 17:57:02 -0400 Re: [Snort-users] Too little traffic being
"If it is, disable spp_portscan2 and spp_conversation and try that. They
chew up a lot of memory and add a lot of overhead for something that
doesn't work well."
Of course, my experiences still amount to it being less useful at detecting
network attacks than Microsoft Bob and more prone to false positive than
using the load-meter on my router to detect attacks.
More information about the Snort-users