[Snort-users] Re: [Snort-sigs] good settings for portscan preprocessor?
mkettler at ...4108...
Thu Nov 13 11:32:13 EST 2003
At 06:52 AM 11/13/2003, David Wilburn wrote:
>I've never had any good luck with the portscan preprocessor with Snort in
>any network I've used it on with the default settings, regardless of my
>host filtering. Does anyone here have any recommendations on a good
>setting that they've used in a large-ish network?
>By the way, I'm using the original portscan preprocessor, not portscan2,
>due to my using Snort in conjunction with SGUIL.
(moving this thread to snort-users where it belongs, this has absolutely
nothing to do with signature development)
"large-ish" is a very relative term.. but a few years ago i used to use it
with 5 2 settings on a 100-user network.
However, in a modern world neither of the portscan preprocessors are going
to be effective against an intruder.. let's face it.. nmap exists, and can
very easily be configured to have an extraordinarily slow rate of scan..
Even the lamest of skript kiddies can download nmap for windows and scan
your network at a rate that will take him a couple weeks to complete, but
who cares, he can leave it running minimized and look at the results later.
Attackers with even modest skill levels are certainly going to be using
significantly better tactics than what nmap can provide out-of-the box.
Really the best you can hope for from either of the portscan preprocessors
is to detect sweeps of probes from network worms trying to automatically
find hosts to infect. You'll also pick up a few of the lowest-skill-level
kiddies, and some spammers doing quick scans for open relay mailservers or
open proxies, but you're certainly not going to pick up anyone that's any
kind of threat to a reasonably well configured network.
Since you're only going to be able to detect the really reckless and loud
automated attackers, I see no reason not to use really high thresholds like
If you want to try to detect people doing slow-rate scans, a statistical
deviation analysis tool like the spade add-on for snort is pretty much your
best bet. Your only other hope is that you can pick them up with an attack
signature when they finally do attack.
More information about the Snort-users