Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] portscan detection in snort 2.8.0

from [Cache Hit] Network Security [Permanent Link]
Subject: [Snort-users] portscan detection in snort 2.8.0
Date: Fri, 19 Oct 2007 07:31:27 -0500 
Hello,

I'm currently running snort 2.4.4 with the portscan and portscan2  
preprocessors that I have hooked into a script that generates  
iptables rules.   It works very well for what it is.

I recently have been playing with snort 2.8, trying to get at least  
the same level of detection, with at least as few or fewer false  
positives.   I notice that flow-portscan seems to work well at  
detecting some things portscan and portscan2 did not - like ICMP  
probes across my entire /22.   It also picks up nmap scans and things  
like that.   However, I've also noticed that it often seems to  
confuse source and destination, or at least it seems to be confusing  
them.   What I mean to say is, if I have a process running on a  
machine in my src-ignore-net that opens a bunch of connections and  
thus has a bunch of high ports for its receiving end flow-portscan  
will alert on the destination host that is connecting to those  
ephemeral ports on my originating machine, even though the IP address  
of the originating host is in my src-ignore-net.

Does anyone have any recommendations?   I figured flow/flow-portscan  
would determine source and destination based on who had the SYN flag  
set.    Because I'm not even talking about weird protocols like ftp  
that open their own receiving ports on the initiating host, I'm just  
talking about busy network programs, like a recursive wget, or  
something similar.

I haven't played much with sfportscan.   I had bad experiences  
attempting to use it when I upgraded from 1.9 to 2.4.4.


thanks,
--
cachehit@webii.net
“The sky above the port was the color of television, tuned to a dead  
station.”



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] portscan detection in snort 2.8.0, Cache Hit <=
Previous by Date:  Re: [Snort-users] Snort 2.8 and SID on pass- and alert-rules, Vidar Hoel
Next by Date:  Re: [Snort-users] Snort 2.8 and SID on pass- and alert-rules, Seth
Previous by Thread:  [Snort-users] Snort 2.8 and SID on pass- and alert-rules, Vidar Hoel
Next by Thread:  [Snort-users] New revs? of old sigs causing Snort to die, Paul Melson
Indexes:  [Date] [Thread] [Top] [All Lists]