Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1704 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Portscan alert rule

Mike_C
Does anyone know the conditions for an alert that you are being portscanned? I was just hit for over an hour, on ports 1060 to 1130 from the same IP, yet never did it alert me. The scan was done not 1 port after another, but randomly from 1060-1090 then steady every 60 seconds from 1090 to 1130+.


This thread was automatically locked due to age.
  • 0
    hi mike,

    slow port scans cannot be easily detected without knowing the service context of the "protected" network, since they do not differ from regular (or "possibly regular") traffic very much.

    /tom
  • 0 in reply to tom_01
    quote:
     Does anyone know the conditions for an alert that you are being portscanned?


    Tom, could you let us know the conditions for portscan to trigger? I realise that ASL tries to shield the user as much as possible with a simple interface, but it would help us understand the tools.

    In my case I am getting thousands (literally) of portscan detected emails even though there is no portscan in progress and I have portscan turned off.

    The huge number of emails is turning into a real DoS problem.

    Ari Maniatis
  • 0 in reply to Ari Maniatis
    Hello Ari and others,

    a portscan will be detected

    if someone connects from one to another IP to
    several ports and if the time between the connects
    is less than x ms(I think x was 5, but I am not
    sure right now) and the defined weight is greater
    than 21 (previliged ports weight 3, unpreviliged 1)


    hope that helps
    o|iver
Unfiltered HTML