[Snort-users] portscan2 effectiveness.

Matt Kettler mkettler at ...4108...
Tue Apr 29 17:25:09 EDT 2003


At 04:16 PM 4/29/2003 -0700, Skip Carter wrote:
> > >I've only heard of one person who gets decent results with it (I think
> > >that's Erek) and that person admits their network is "not typical".
> >
> > Hmmm.  Maybe there's two of us now ....  ;-)
>
>         It would seem that those of use using it have not had much reason to
>speak up.  I haven't had too much problem with it either.

Interesting. Good to hear that some people are getting good results from 
it. I checked my mailbox archive, I've asked several times, and Erek's the 
only person that ever indicated it worked.

Here's some of my pointed criticisms of the portscan2 preprocessor on the 
list over the past few months.

Thu, 20 Mar 2003 17:55:32 -0500   Re: [Snort-users] 
portscan2-ignoreports...anyone get it to work???
"I don't know, but if you ever hear of anyone that's ever been able to do 
anything useful with spp_portscan2, let me know.."

Mon, 24 Mar 2003 20:22:44 -0500 Re: [Snort-users] portscan and portscan2
"That said, I've had such horrible experiences with portscan2 that I'm 
surprised that the snort-devels haven't scrapped it completely and removed 
it from the code, although Erek seems to have good results from it.."

Wed, 23 Apr 2003 17:57:02 -0400 Re: [Snort-users] Too little traffic being 
seen!
"If it is, disable spp_portscan2 and spp_conversation and try that. They 
chew up a lot of memory and add a lot of overhead for something that 
doesn't work well."

Of course, my experiences still amount to it being less useful at detecting 
network attacks than Microsoft Bob and more prone to false positive than 
using the load-meter on my router to detect attacks.








More information about the Snort-users mailing list