[Snort-users] Flow-portscan oddity

Douglas McCrea dmccrea at ...10965...
Wed Apr 14 08:16:04 EDT 2004

That's what I mean... Flow-Portscan works in the sense that it can be
configured to show that a scan or attack is happening from one host to
another, but it's totally useless without actually know what ports are
being scanned... As an analyst, the information below is nearly useless
to me. For instance, the patterns of the Phatbot worm were absolutely
necessary to detect a new variant. Portscan2 and my correlated firewall
logs allowed me to identify it and respond immediately with an
understanding of what ports were being looked for. It is this
information that is necessary to quickly decipher that a new exploit is
out, or that a machine is compromised. The documentation, however
extensive for flow-portscan, isn't comprehensive enough. I personally
operate on a baseline, then tweak my settings. The baseline that's in
snort.conf really doesn't give me anything to go on.


-----Original Message-----
From: Dusty Hall [mailto:halljer at ...8709...] 
Sent: Wednesday, April 14, 2004 10:27 AM
To: Todd_Pratt at ...11631...; Douglas McCrea; Chad.Kreimendahl at ...4716...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Flow-portscan oddity

I guess I'll chime in...  Flow-Portscan seem to work ok for me but I
never know what port is getting scanned.  Thoughts?


04/14-14:21:00.987513  [**] [121:1:1] Portscan detected from 161.57.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 16) [**]
04/14-14:21:34.725954  [**] [121:1:1] Portscan detected from 204.38.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 14) [**]
04/14-14:21:38.207946  [**] [121:1:1] Portscan detected from 12.173.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15) [**]
04/14-14:21:38.347495  [**] [121:1:1] Portscan detected from 12.173.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40) [**] 

preprocessor flow-portscan: \
server-watchnet [xxx.xxx.xxx.xxx\xx] \
dst-ignore-net [xxx.xxx.xxx.xxx\xx] \
src-ignore-net [xxx.xxx.xxx.xxx\xx] \
unique-memcap 5000000 unique-rows 50000 \ tcp-penalties on \ server-rows
65535 \ server-scanner-limit 50 \ alert-mode once \ #alert-mode all \
output-mode msg \ #output-mode pktkludge \ server-learning-time 3600

>>> "Kreimendahl, Chad J" <Chad.Kreimendahl at ...4716...> 4/13/2004 4:21:16 
>>> PM >>>
I haven't attempted the syslog method of alerting, but I doubt that's
it, being that their alerting method is centralized.  Have you generated
alerts on your own and verified them?

I've just attempted using your config with our setup, and again it did
not see my scans (and no, they did not originate from $HOME_NET).
What's your config for the flow preproc?


From: Todd_Pratt at ...11631... [mailto:Todd_Pratt at ...11631...]
Sent: Tuesday, April 13, 2004 2:02 PM
To: Douglas McCrea
Cc: Snort Users; snort-users-admin at lists.sourceforge.net
Subject: RE: [Snort-users] Flow-portscan oddity

flow-portscan works for me.  I get between 20 and 40 alerts per hour.
The only output I use is syslog so I don't know if that makes a

Here's the line I use: 

        preprocessor flow-portscan: alert-mode once src-ignore-net

I'm running 2.1.2 build 25 

Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt at ...11631... 

"Douglas McCrea" <dmccrea at ...10965...>
Sent by: snort-users-admin at lists.sourceforge.net 

04/13/2004 11:56 AM 


This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux
tutorial presented by Daniel Robbins, President and CEO of GenToo
technologies. Learn everything from fundamentals to system
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list