[Snort-users] portscan question

Matt Kettler mkettler at ...4108...
Wed Apr 28 11:52:07 EDT 2004

At 11:01 AM 4/28/2004, Darryl Cook wrote:

>I did some more testing and *was* able to reproduce the problem.  If you 
>put wsftp in passive mode and transfer several files in a row to the snort 
>server, it generates a false positive portscan.  Anyone know how to 
>correct this?

This isn't an unexpected result from the classic portscan preprocessor. 
It's very simple, and very stupid in it's analysis of traffic. While it is 
useful, it's very simple approach has a lot of limitations, like this one. 
That's why there are other portscan preprocessors in snort. They were 
created to improve upon spp_portscan.

You might have better luck with the more intelligent flow_portscan, which 
has a bit of a "popular service" learning behavior to it. However, it is 
more memory overhead.

Baring using a better portscan preprocessor, your best bet is to do a 
portscan_ignorehost for your FTP server, or all of your client IP's.

You can also try to reduce the time or increase the number of sessions to 
trigger an alert, but there's nothing to stop a passive ftp server from 
handing out hundreds, if not thousands, of connections per second to a 
client, all on different ports, collectively looking exactly like a 
high-speed portscan. It's all a matter of what's your expected connection rate.

More information about the Snort-users mailing list