[Snort-users] How many ports is considered a portsweep/portscan?

James Lay jlay at ...13475...
Thu Mar 18 22:04:27 EDT 2010


Have you tried this?


  3. Make use of the Priority Count, Connection Count, IP Count, Port Count,
IP
     range, and Port range to determine false positives.

     The portscan alert details are vital in determining the scope of a
portscan
     and also the confidence of the portscan.  In the future, we hope to
     automate much of this analysis in assigning a scope level and
confidence
     level, but for now the user must manually do this.  The easiest way to
     determine false positives is through simple ratio estimations.  The
     following is a list of ratios to estimate and the associated values
that
     indicate a legimite scan and not a false positive.

     Connection Count / IP Count:  This ratio indicates an estimated average
of
     connections per IP.  For portscans, this ratio should be high, the
higher
     the better.  For portsweeps, this ratio should be low.

     Port Count / IP Count:  This ratio indicates an estimated average of
ports
     connected to per IP.  For portscans, this ratio should be high and
     indicates that the scanned host's ports were connected to by fewer IPs.
     For portsweeps, this ratio should be low, indicating that the scanning
host
     connected to few ports but on many hosts.

     Connection Count / Port Count:  This ratio indicates an estimated
average
     of connections per port.  For portscans, this ratio should be low.
 This
     indicates that each connection was to a different port.  For
portsweeps,
     this ratio should be high.  This indicates that there were many
connections
     to the same port.

     The reason that Priority Count is not included, is because the priority
     count is included in the connection count and the above comparisons
take
     that into consideration.  The Priority Count play an important role in
     tuning because the higher the priority count the more likely it is a
real
     portscan or portsweep (unless the host is firewalled).


On Thu, Mar 18, 2010 at 9:10 AM, James Lay <jlay at ...13475...> wrote:
> Subject pretty much says it all...there are certain machines that I want to be
> able to detect a portsweep or scan, but not when they scan say 4 or 5 ports
> like booting up with netbios checking out other machines on a network (I think
> that¹s why I¹m seeing these FP¹s).  Sfportscan is set to low, but I¹m not sure
> what else I can set?  Thanks all.
> 


Thanks Matt,

I took a good solid read of the README for sfportscan, but at the end of the
day it seems that I¹m left with only a couple options of ignore_scanners,
and ignore_scanned.  Am I reading something wrong?  These seem pretty binary
to me....unless there¹s a more granular level of control that I¹m missing.
I have two server that chat with each other...if I use either of these
ignore lines, the my high amount of portscan alerts goes away, but then if
one of those servers is compromised, I would WANT to see any unusual
portscan type traffic.  Does this make sense or do I sound way out of wack?
Like..the functionality to say ³an attempt to open 6 ports within 10 seconds
is fine to this range of 135-141, but an attempt to open 6 ports within 10
seconds of any other range and I want an alert².  Or something close to
that.  Thanks for the assist.

James
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100318/f93bc1d7/attachment.html>


More information about the Snort-users mailing list