RE: sfportscan logging

> -----Original Message-----
> From: snort-devel-admin@xxxxxxxxxxxxxxxxxxxxx 
> [mailto:snort-devel-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Andrew Mullican
> Sent: 27 avril 2006 11:05
> To: jnn@xxxxxxxxx
> Cc: snort-devel@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Snort-devel] sfportscan logging
> 

> We are aware that sfportscan has some inconsistencies in its 
> output (and that the output is often confusing), and will 
> address those as soon as we can, in our schedule.  
> Still, detecting portscans is
> not an exact science, and it's possible for sfportscan to get 
> confused.  
> I definitely would not recommend
> going backto any earlier portscan--in fact they've all been 
> deprecated.  
> Try to continue tuning and see if you
> can get better results.

Talking about tunning and depricated portscan , as of 
effectivness, i still have better and effective overall results using 
flow-portscan,
i observ more precise results it might more complexe to really tune but still 
you can
see decoy pattern with some kind of correlation :) [TCP ONLY] and as of 
offender's
you will see them. 

The best thing about sfportscan is multi proto "scan" detection and multi-host 
scan report but
the kind of tunning interface you have as of now is kind limited for the type
of information [feature set] sfportscane provide, hence high level of false 
positive 
and not mutch tunning option's.  


I mean if you portscan using 200 host scanning N ports over a timeframe of 2 
week ...
there is not mutch you can do about that unless you have some kind of anomaly 
based detection
engine, so usualy you want to see burst's , wich it would be nice if you could 
define scan pattern / threshold you might be interested to get feedback from.



Eric Lauzon
[Recherche & Développement]
Above Sécurité / Above Security
Tél  : (450) 430-8166
Fax : (450) 430-1858 

---------------------------------------
"Premature optimization is the root of all
evil (or at least most of it) in programming."
- Donald Knuth

AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 

Le présent message est à l'usage exclusif du ou des destinataires mentionnés 
ci-dessus. Son contenu est confidentiel et peut être assujetti au secret 
professionnel. Si vous avez reçu le présent message par erreur, veuillez nous 
en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, 
d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee 
identified above. Its content is confidential and may contain privileged 
information. If you have received this communication by error, please notify 
the sender and delete the message without copying or disclosing it.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642