From: Ben Carter (BenCdcpud.org)
Date: Mon Jan 05 2004 - 17:31:05 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Howdy.

I love SNORT! I have been searching for a way to use SNORT to detect
subnet scans, but am unable to find what I am looking for in the FAQ,
Documentation or mailing list archives. I see that there is a
pre-processor module that has the ability to look beyond simple packet
matching rules, but it appears that this pre-processor module only
detects port scans. Is there a pre-processor module to detect when a
host scans for multiple /hosts/? Optimally the source host would be
identified by MAC address rather than IP so that scans or attacks
launched from a single station which was spoofing multiple source IP
addresses (such as one of those nasty worms) could be identified.

If someone could point me in the right direction (even if it is not
SNORT related, or even a commercial product *gasp*, hope I don't get
flamed for this) I would appreciate it greatly. My appreciation and
$2.50 will get you a latte at any Starbucks in the Country ;D

Thanks again!

Ben Carter

Network Analyst

Douglas County PUD

1151 Valley mall Parkway

East Wenatchee WA, 98802

Voice: (509) 884-7191

Fax: (509) 884-0553

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]