Re: How many ports is considered a portsweep/portscan?

[Matt Olney <molney () sourcefire com>]

Have you tried this?


  3. Make use of the Priority Count, Connection Count, IP Count, Port Count,
IP
     range, and Port range to determine false positives.

     The portscan alert details are vital in determining the scope of a
portscan
     and also the confidence of the portscan.  In the future, we hope to
     automate much of this analysis in assigning a scope level and
confidence
     level, but for now the user must manually do this.  The easiest way to
     determine false positives is through simple ratio estimations.  The
     following is a list of ratios to estimate and the associated values
that
     indicate a legimite scan and not a false positive.

     Connection Count / IP Count:  This ratio indicates an estimated average
of
     connections per IP.  For portscans, this ratio should be high, the
higher
     the better.  For portsweeps, this ratio should be low.

     Port Count / IP Count:  This ratio indicates an estimated average of
ports
     connected to per IP.  For portscans, this ratio should be high and
     indicates that the scanned host's ports were connected to by fewer IPs.
     For portsweeps, this ratio should be low, indicating that the scanning
host
     connected to few ports but on many hosts.

     Connection Count / Port Count:  This ratio indicates an estimated
average
     of connections per port.  For portscans, this ratio should be low.
 This
     indicates that each connection was to a different port.  For
portsweeps,
     this ratio should be high.  This indicates that there were many
connections
     to the same port.

     The reason that Priority Count is not included, is because the priority
     count is included in the connection count and the above comparisons
take
     that into consideration.  The Priority Count play an important role in
     tuning because the higher the priority count the more likely it is a
real
     portscan or portsweep (unless the host is firewalled).


On Thu, Mar 18, 2010 at 9:10 AM, James Lay <jlay () slave-tothe-box net> wrote:

>  Subject pretty much says it all...there are certain machines that I want
> to be able to detect a portsweep or scan, but not when they scan say 4 or 5
> ports like booting up with netbios checking out other machines on a network
> (I think that’s why I’m seeing these FP’s).  Sfportscan is set to low, but
> I’m not sure what else I can set?  Thanks all.
>
> James
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users