[Snort-users] Re: [Snort-sigs] good settings for portscan preprocessor?

Matt Kettler mkettler at ...4108...
Thu Nov 13 11:32:13 EST 2003

At 06:52 AM 11/13/2003, David Wilburn wrote:
>I've never had any good luck with the portscan preprocessor with Snort in 
>any network I've used it on with the default settings, regardless of my 
>host filtering.  Does anyone here have any recommendations on a good 
>setting that they've used in a large-ish network?
>By the way, I'm using the original portscan preprocessor, not portscan2, 
>due to my using Snort in conjunction with SGUIL.

(moving this thread to snort-users where it belongs, this has absolutely 
nothing to do with signature development)

"large-ish" is a very relative term.. but a few years ago i used to use it 
with 5 2 settings on a 100-user network.

However, in a modern world neither of the portscan preprocessors are going 
to be effective against an intruder.. let's face it.. nmap exists, and can 
very easily be configured to have an extraordinarily slow rate of scan.. 
Even the lamest of skript kiddies can download nmap for windows and scan 
your network at a rate that will take him a couple weeks to complete, but 
who cares, he can leave it running minimized and look at the results later.

Attackers with even modest skill levels are certainly going to be using 
significantly better tactics than what nmap can provide out-of-the box.

Really the best you can hope for from either of the portscan preprocessors 
is to detect sweeps of probes from network worms trying to automatically 
find hosts to infect. You'll also pick up a few of the lowest-skill-level 
kiddies, and some spammers doing quick scans for open relay mailservers or 
open proxies, but you're certainly not going to pick up anyone that's any 
kind of threat to a reasonably well configured network.

Since you're only going to be able to detect the really reckless and loud 
automated attackers, I see no reason not to use really high thresholds like 
100 2.

If you want to try to detect people doing slow-rate scans, a statistical 
deviation analysis tool like the spade add-on for snort is pretty much your 
best bet. Your only other hope is that you can pick them up with an attack 
signature when they finally do attack.

More information about the Snort-users mailing list