[Snort-users] Flow-portscan oddity

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Mon Apr 12 14:21:12 EDT 2004


Using the default configuration for flow and flow portscan... And
testing it on an external interface... We're seeing absolutely no alerts
triggered.  I've attempted using many output mechanisms, hoping that it
wasn't the method we were using, and the results are the same.   I'm
100% positive there were several scans happening on this same interface,
as I ran portscan2 at the same time with a different snort, on the same
interface.   Many noisy ugly alerts from portscan2... Nothing from
flow-portscan.

The config:

preprocessor flow: hash 2
preprocessor flow-portscan: \
       talker-sliding-scale-factor 0.50 \
       talker-fixed-threshold 30 \
       talker-sliding-threshold 30 \
       talker-sliding-window 20 \
       talker-fixed-window 30 \
       scoreboard-rows-talker 30000 \
       server-watchnet [somesubnet] \
       server-ignore-limit 200 \
       server-rows 65535 \
       server-learning-time 14400 \
       server-scanner-limit 4 \
       scanner-sliding-window 20 \
       scanner-sliding-scale-factor 0.50 \
       scanner-fixed-threshold 15 \
       scanner-sliding-threshold 40 \
       scanner-fixed-window 15 \
       scoreboard-rows-scanner 30000 \
       alert-mode once \
       output-mode msg \
       tcp-penalties on

The scans:

Nmap -O
Nmap -sT (entire subnet on interface) -p 1-1024
Nmap -sU (entire subnet on interface)



Normally this interface is extremely noisy when portscan watches it...
So it was interesting to see how quiet flow-portscan was after some of
the complaints of noise I'd seen.




More information about the Snort-users mailing list