[Snort-users] Dealing with portscans

Bilal Malik bilalmlk92 at ...11827...
Mon Oct 8 11:41:14 EDT 2012


Hi,

I have 3 snort sensors that are monitoring the uplink ports of three
different stacked switches. Each stacked switch has various VLANs. I am
interested in detecting malicious portscans.


The problem is, the network is so large (1000-3000 users) at peak time who
all surf the web. Most of the time, I see portscans from google (which i
assume is normal web browsing traffic) and other websites like facebook,
amazon etc. I don't want to be alerted when a user surfs legitimate
websites because thats a false positive.

Writing rules in the threshold.conf file will help me suppress that but the
problem is that there are so MANY users going to so MANY different
legitimate websites that it will be a never ending job to write rules in
threshold.conf file.


I am only interested in a portscan if it comes from an insecure public
network to my internal corporate network or from my public wifi hotspot to
my internal server network.

Lets say 10.10.0.0/16 is my public wifi network and 10.20.0.0/16 is my
internal network and 10.30.0.0/16 is my server network.

I definitely want to be alerted when someone from my public wifi network
reaches in to my internal network or server network because the server
network only provides services for the users in the internal network.

How can I tune snort to detect such portscans.

There are options to ignore_scanners [List of IPs] and ignore_scanned [List
of IPs]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121008/e9cdbfc2/attachment.html>


More information about the Snort-users mailing list