IDS Strategy
This section introduces some of the most common troubleshooting questions encountered when working with an IDS in general.
How Can I Detect “Slow” Scans?
Slow portscans, usually perpetrated by a determined attacker specifically targeting your systems, can be difficult to discover. Slow scans that use out-of-spec traffic, such as SYN-FIN scans, are easily detected because they have an identifiable signature. Other scans that do not have a traffic signature per se are more difficult to detect. You have to rely on the configuration settings of the portscan2 preprocessor. The threshold used to configure portscan2 to detect a slow scan can generate so many false positives that portscan2 becomes unusable, presenting a major problem in ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
