[Snort-users] Flow-portscan oddity

Chris Green cmg at ...671...
Wed Apr 14 13:53:10 EDT 2004


"Douglas McCrea" <dmccrea at ...10965...> writes:

> That's what I mean... Flow-Portscan works in the sense that it can be
> configured to show that a scan or attack is happening from one host to
> another, but it's totally useless without actually know what ports are
> being scanned... As an analyst, the information below is nearly useless
> to me. 

At most it will only keep the last machines scanned when outputting
via the pktkludge output. It's supposed to be a real time component to
give you something to alert on and then go look at NetFlow-esque data
from that around that alert timerange to find out what was actually
being scanned.

I'll be the first to admit configuring it's a PITA but it's good at
being consistent on memory usage.  It also suffers from it was shoved
into the same old output systems that everything else uses..

I think it also has way too many end user knobs exposed by default so
the command line configuration really sucks.

Cheers,
-- 
Chris Green <cmg at ...1121...>
"I have no ability to read string
       handling code in a gaim window" -- me





More information about the Snort-users mailing list