RE: Detecting Connections in Snort

Snort's portscan processor works on TCP connection attempts to more than P ports in T seconds or UDP packets sent to more than P ports in T seconds. It doesn't work for number of C connections to P destination port in T seconds.

currently the format is:

portscan: <monitor network> <number of ports> <detection period> <file path>

it should be something like:

portscan: <monitor network> <number of connections> <dst port> <detection period> <file path>

Though, this preprocessor has capability that alerts would only show once per scan, rather than once for each packet. So it can be modified for specific number of connection threshold for single alert.

Is this possible?

Regards,
Faiz

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: Marcelo Olguin [mailto:molguin@inf.utfsm.cl] Sent: Monday, June 02, 2003 7:38 PM
To: Faiz Ahmad Shuja; focus-ids@securityfocus.com Subject: Re: Detecting Connections in Snort

I understand that exists a particular funcionality in portscan snort's preprocessor, which let you set a threshold for connections. You can find more information en Snort 2.0 book (Syngress).

Bye

Marcelo
-.-

Faiz Ahmad Shuja wrote:

>Does anybody have idea about detecting multiple connections from a