sfPortscan - Unfiltered PortScan Detected, Missing Most Open Port Alerts

["staff" <staff () AandRTech net>]

Hello all,

I am working on the sfPortScan preprocessor and I came across a few things
I can not seem to resolve, hopefully you guys can help. I have done all
the reading I can find on the issue, I have a book on snort however it is
not with me atm..

The first thing I noticed is that the PortScan detection is (by far) most
accurate when there in no firewall in the path (TCP Portscan). That said,
when I scan a system that has 16 open ports, I see the initial TCP
Portscan alert (shown below).

-------
Time: 01/31-13:44:27.280811
event_id: 174
a.b.c.d -> a.b.c.t (portscan) TCP Portscan
Priority Count: 10
Connection Count: 18
IP Count: 1
Scanner IP Range: a.b.c.d:a.b.c.d
Port/Proto Count: 18
Port/Proto Range: 47:457
--------

While the Port Range is pretty accurate (really is 1-500), I only get 7
"Open Port" alerts. Strange thing is the system a.b.c.d that did the
scanning got 16 SYN/ACKs back...

So where are my 8 other Open Port alerts?

Regarding the config, it is just straight snort (no db) below the
preprocessor line.. The system has plenty of hardware and the target is in
a VM, snort is running on the Host, the source is a different box.

---
preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000
} sense_level { medium } logfile { sfPortscan.log }
---


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users