[Snort-users] portscan detection in snort 2.8.0

Cache Hit cachehit at ...13788...
Fri Oct 19 08:31:27 EDT 2007


I'm currently running snort 2.4.4 with the portscan and portscan2  
preprocessors that I have hooked into a script that generates  
iptables rules.   It works very well for what it is.

I recently have been playing with snort 2.8, trying to get at least  
the same level of detection, with at least as few or fewer false  
positives.   I notice that flow-portscan seems to work well at  
detecting some things portscan and portscan2 did not - like ICMP  
probes across my entire /22.   It also picks up nmap scans and things  
like that.   However, I've also noticed that it often seems to  
confuse source and destination, or at least it seems to be confusing  
them.   What I mean to say is, if I have a process running on a  
machine in my src-ignore-net that opens a bunch of connections and  
thus has a bunch of high ports for its receiving end flow-portscan  
will alert on the destination host that is connecting to those  
ephemeral ports on my originating machine, even though the IP address  
of the originating host is in my src-ignore-net.

Does anyone have any recommendations?   I figured flow/flow-portscan  
would determine source and destination based on who had the SYN flag  
set.    Because I'm not even talking about weird protocols like ftp  
that open their own receiving ports on the initiating host, I'm just  
talking about busy network programs, like a recursive wget, or  
something similar.

I haven't played much with sfportscan.   I had bad experiences  
attempting to use it when I upgraded from 1.9 to 2.4.4.

cachehit at ...13788...
“The sky above the port was the color of television, tuned to a dead  

More information about the Snort-users mailing list