[Snort-users] How many ports is considered a portsweep/portscan?
jlay at ...13475...
Thu Mar 18 22:04:27 EDT 2010
Have you tried this?
3. Make use of the Priority Count, Connection Count, IP Count, Port Count,
range, and Port range to determine false positives.
The portscan alert details are vital in determining the scope of a
and also the confidence of the portscan. In the future, we hope to
automate much of this analysis in assigning a scope level and
level, but for now the user must manually do this. The easiest way to
determine false positives is through simple ratio estimations. The
following is a list of ratios to estimate and the associated values
indicate a legimite scan and not a false positive.
Connection Count / IP Count: This ratio indicates an estimated average
connections per IP. For portscans, this ratio should be high, the
the better. For portsweeps, this ratio should be low.
Port Count / IP Count: This ratio indicates an estimated average of
connected to per IP. For portscans, this ratio should be high and
indicates that the scanned host's ports were connected to by fewer IPs.
For portsweeps, this ratio should be low, indicating that the scanning
connected to few ports but on many hosts.
Connection Count / Port Count: This ratio indicates an estimated
of connections per port. For portscans, this ratio should be low.
indicates that each connection was to a different port. For
this ratio should be high. This indicates that there were many
to the same port.
The reason that Priority Count is not included, is because the priority
count is included in the connection count and the above comparisons
that into consideration. The Priority Count play an important role in
tuning because the higher the priority count the more likely it is a
portscan or portsweep (unless the host is firewalled).
On Thu, Mar 18, 2010 at 9:10 AM, James Lay <jlay at ...13475...> wrote:
> Subject pretty much says it all...there are certain machines that I want to be
> able to detect a portsweep or scan, but not when they scan say 4 or 5 ports
> like booting up with netbios checking out other machines on a network (I think
> that¹s why I¹m seeing these FP¹s). Sfportscan is set to low, but I¹m not sure
> what else I can set? Thanks all.
I took a good solid read of the README for sfportscan, but at the end of the
day it seems that I¹m left with only a couple options of ignore_scanners,
and ignore_scanned. Am I reading something wrong? These seem pretty binary
to me....unless there¹s a more granular level of control that I¹m missing.
I have two server that chat with each other...if I use either of these
ignore lines, the my high amount of portscan alerts goes away, but then if
one of those servers is compromised, I would WANT to see any unusual
portscan type traffic. Does this make sense or do I sound way out of wack?
Like..the functionality to say ³an attempt to open 6 ports within 10 seconds
is fine to this range of 135-141, but an attempt to open 6 ports within 10
seconds of any other range and I want an alert². Or something close to
that. Thanks for the assist.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users