[Snort-users] False positives with UDP Portscan PROTO255

Jeremy Hewlett jh at ...1935...
Wed Mar 9 10:01:06 EST 2005

On Sat, Mar 05, Mike Lieberman wrote:
> 	The black hats are without a doubt aware of this, but a portscan
> that can't distinguish normal traffic from abnormal traffic is of no more

How do you define abnormal traffic? Traffic you've never seen before?
Traffic which is crafted? 

> 	If I am getting 999 false positives to one true positive, what's the
> likelihood that I would catch the 'true' one? 

As Jeff Kell stated, what you're experiencing is the definition of a
portscan. We've gone through some lengths with TCP to weed out false
positives, but UDP is more difficult.

What methods have you tried in tuning the portscan preprocessor?
There's a section in the README.sfportscan that details some thoughts
on tuning this.

> 	With all respect to those who write and maintain the rules, I don't
> find this rule helpful and will seek to exclude port 53. IMHO we need a more
> sophisticated tool in this regard. 

This is the first release of sfPortscan, and thus has just begun its
life cycle. I'm open to ideas in ways to make it better. Anyone is
welcome to send me ideas, patches, start discussions, etc...

More information about the Snort-users mailing list