1

I am working on detection of Scanning activities of Bots/Worms. I have found that Snort Portscan Preprocessor detects Scan activities. I have tweaked Snort Portscan Preprocessor to detect different types of Scanning activities.

However, I was curious to know whether a better independent scan detection tool (not an IDS like Suricata or Bro) exists and if it exists, what are the reasons is it better than Snort Portscan Preprocessor or vice-versa?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user10012
  • 191
  • 1
  • 1
  • 9

1 Answers1

1

Try looking into Scanlogd http://www.openwall.com/scanlogd/

Also look into psad (Port Scan Attack detector) http://cipherdyne.org/psad/

I havent tried using either of them. Though I am not sure how much better than Snort these will be, I am sure these allow for much higher degree of customization, which may help.

subash
  • 46
  • 2
  • 1
    Snort allows lots of tunning,like setting different sensing modes,thresholds,Time windows,etc. .In similar way can you elaborate on "higher degree of customization" ? – user10012 Jun 25 '16 at 20:27