Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portscan2 and target limit

From: "Alan Kloster" <akloster () SPP ORG>
Date: Fri, 8 Nov 2002 08:42:36 -0600
Hello,

I am using Version 1.9.0 (Build 209) on RedHat 7.3 and everything is working fine except for the new portscan2 
directive.  I currently have it set at these levels:

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 30, port_limit 30, timeout 5

It is my understanding that with a target_limit setting of 30, a portscan would have to hit 30 different targets before 
an alert would be triggered.  Here's the relevent section from the FM:

"target_limit 
        number of hosts a scanner must talk to before a scan is triggered "
If this is indeed the case, why am I still seeing dozens of the following types of alerts:
(spp_portscan2) Portscan detected from 64.4.36.24: 1 targets 31 ports in 4 seconds 
If I read that correctly, it says that the scanner at 64.4.36.24 hit 31 ports on 1 target in 4 seconds.  According to 
the target_limit setting of 30, I should never see these alerts.  What's up??  I have seen some other posts regarding 
the same subject (yes, I searched the archives), but there have been no answers other than to add 
portscan2-ignorehosts.  All of these alerts are coming from people surfing the web.  Most seem to be from pop up ads.  
Well that seems a little impractical for every web site out there that could generate this type of portscan2 alert.
Am I doing something wrong?  I have tried different amounts for target_limit, but everytime I continue to see these 
type of alerts.  As always, thanks for your time and effort in replying to my probably silly question.

Alan Kloster






-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: