[Oisf-users] How suricata detects portscans??

Robert Vineyard robert.vineyard at oit.gatech.edu
Tue Apr 12 21:49:10 UTC 2011


IMHO portscan / DOS detection is much easier and more efficient using
netflow tools if you're interested in such things - when doing DPI it always
seemed like a waste of cycles that could be better used to look for more
interesting signatures.

Just my 2c.

--
Robert Vineyard, CISSP, RHCE, Security+
Senior Information Security Engineer
404-385-6900 (office/cell)
404-894-9548 (fax)

On 4/12/2011 2:52 PM, Will Metcalf wrote:
> No, there is no portscan detection... When we asked if there was
> interest in portscan detection at multiple public OISF meetings, the
> overwhelming response we got was "don't waste your time".  I think
> this is because most people don't see portscans as actionable
> intelligence, existing implementations tend to fp a lot and are
> usually disabled, and/or existing implementations can be easily
> defeated with low and slow scans.  Is anybody actually interested in
> this?  Is it actually useful to you?
> 
> Regards,
> 
> Will
> 
> On Tue, Apr 12, 2011 at 1:35 PM, carlopmart <carlopmart at gmail.com> wrote:
>> On 04/12/2011 10:57 AM, carlopmart wrote:
>>>
>>> Hi all,
>>>
>>> How suricata detects portscans?? For example, I have had a simple test
>>> doing:
>>>
>>> [carlos at laptop sguil]$ nmap srvdns
>>>
>>> Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-12 10:53 CEST
>>> Nmap scan report for srvdns (172.25.50.10)
>>> Host is up (0.0011s latency).
>>> Not shown: 998 closed ports
>>> PORT STATE SERVICE
>>> 22/tcp open ssh
>>> 53/tcp open domain
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
>>>
>>> Alerts detected by suricata:
>>>
>>> 04/12-10:53:13.589141 [**] [1:2010937:2] ET POLICY Suspicious inbound to
>>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
>>> [Priority: 2] {TCP} 172.25.50.30:57780 -> 172.25.50.10:3306
>>> 04/12-10:53:13.590083 [**] [1:1418:11] GPL SNMP request tcp [**]
>>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>>> 172.25.50.30:37988 -> 172.25.50.10:161
>>> 04/12-10:53:13.590408 [**] [1:2010935:2] ET POLICY Suspicious inbound to
>>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
>>> [Priority: 2] {TCP} 172.25.50.30:60815 -> 172.25.50.10:1433
>>>
>>> But, why not an alert is fired like a "portscan detected" or something
>>> similar??
>>>
>>
>> Nothing??
>>
>>
>> --
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list