[Snort-users] portscan detection in snort 2.8.0
Cache Hit
cachehit at ...13788...
Fri Oct 19 08:31:27 EDT 2007
Hello,
I'm currently running snort 2.4.4 with the portscan and portscan2
preprocessors that I have hooked into a script that generates
iptables rules. It works very well for what it is.
I recently have been playing with snort 2.8, trying to get at least
the same level of detection, with at least as few or fewer false
positives. I notice that flow-portscan seems to work well at
detecting some things portscan and portscan2 did not - like ICMP
probes across my entire /22. It also picks up nmap scans and things
like that. However, I've also noticed that it often seems to
confuse source and destination, or at least it seems to be confusing
them. What I mean to say is, if I have a process running on a
machine in my src-ignore-net that opens a bunch of connections and
thus has a bunch of high ports for its receiving end flow-portscan
will alert on the destination host that is connecting to those
ephemeral ports on my originating machine, even though the IP address
of the originating host is in my src-ignore-net.
Does anyone have any recommendations? I figured flow/flow-portscan
would determine source and destination based on who had the SYN flag
set. Because I'm not even talking about weird protocols like ftp
that open their own receiving ports on the initiating host, I'm just
talking about busy network programs, like a recursive wget, or
something similar.
I haven't played much with sfportscan. I had bad experiences
attempting to use it when I upgraded from 1.9 to 2.4.4.
thanks,
--
cachehit at ...13788...
“The sky above the port was the color of television, tuned to a dead
station.”
More information about the Snort-users
mailing list