[Oisf-users] How suricata detects portscans??

Will Metcalf william.metcalf at gmail.com
Tue Apr 12 14:52:37 EDT 2011


No, there is no portscan detection... When we asked if there was
interest in portscan detection at multiple public OISF meetings, the
overwhelming response we got was "don't waste your time".  I think
this is because most people don't see portscans as actionable
intelligence, existing implementations tend to fp a lot and are
usually disabled, and/or existing implementations can be easily
defeated with low and slow scans.  Is anybody actually interested in
this?  Is it actually useful to you?

Regards,

Will

On Tue, Apr 12, 2011 at 1:35 PM, carlopmart <carlopmart at gmail.com> wrote:
> On 04/12/2011 10:57 AM, carlopmart wrote:
>>
>> Hi all,
>>
>> How suricata detects portscans?? For example, I have had a simple test
>> doing:
>>
>> [carlos at laptop sguil]$ nmap srvdns
>>
>> Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-12 10:53 CEST
>> Nmap scan report for srvdns (172.25.50.10)
>> Host is up (0.0011s latency).
>> Not shown: 998 closed ports
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 53/tcp open domain
>>
>> Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
>>
>> Alerts detected by suricata:
>>
>> 04/12-10:53:13.589141 [**] [1:2010937:2] ET POLICY Suspicious inbound to
>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
>> [Priority: 2] {TCP} 172.25.50.30:57780 -> 172.25.50.10:3306
>> 04/12-10:53:13.590083 [**] [1:1418:11] GPL SNMP request tcp [**]
>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>> 172.25.50.30:37988 -> 172.25.50.10:161
>> 04/12-10:53:13.590408 [**] [1:2010935:2] ET POLICY Suspicious inbound to
>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
>> [Priority: 2] {TCP} 172.25.50.30:60815 -> 172.25.50.10:1433
>>
>> But, why not an alert is fired like a "portscan detected" or something
>> similar??
>>
>
> Nothing??
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>


More information about the Oisf-users mailing list