IDS and portscan-detection
klaus.dombrofsky_at_degussa.com
Date: 08/28/03
- Previous message: Fergus Brooks: "Database HIPS/HIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ids@lists.securityfocus.com Date: Thu, 28 Aug 2003 15:49:34 +0200
Hi folks,
i'm managing several IDS-systems (Snort-basis) with a central
SQL-database.
One option in my sensors is Portscan Detection
with several settings:
Number Of Ports
Number Of Hosts
Detection Period (s)
So, what would you suggest as good settings for detecting portscans ?
How many ports or how many hosts in what period of time is a value that
make sense ?
The smaller the settings the bigger the amount of data, the bigger the
settings the bigger is the chance
to miss "important data".
Where is the happy medium ?
May be it makes no sense to keep an eye on portscans on the IDS, because
the most scans are typical
evident scans from "harmless" guys and so on.
best regards
Klaus-Peter Dombrofsky
its.on
Global Network Services
Security Management
T +49.(0)8621 86 3057
M +49.(0)175 2617851
E-Mail: Klaus.Dombrofsky@degussa.com
GPG-Key available
Fingerprint
C4DB D0C8 63AB E637 7879 A7FC 2A97 7196 CF34 0C1D
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worlds premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
- Previous message: Fergus Brooks: "Database HIPS/HIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
