New Reply 
Modification of Snort portscan preprocessor
project topics Offline
SP Deserved Member
**********
Posts: 2,481
Threads: 1,434
Joined: Mar 2010
#1
22-04-2010, 12:02 AM

Snort is an open source lightweight network intrusion detection system based on libpcap. It can produce real-time alerts as well as packet logs in a variety of formats. Snort has a flexible rules language to describe what alerts should be alerted, logged, or passed. Different members of the Snort community provide rules that can be used for a particular installation and sites can write their own rules. The detection engine uses a modular plugin architecture, which allows developers to extend Snort and users to choose the functionality required to meet their needs.

The portscan detection functionality in Snort is made possible by a preprocessor plugin. The Snort portscan detector attempts to look for X TCP or UDP packets sent to any number of host/port combinations from a single source host in Y seconds, where X and Y are user defined values. Additionally, the portscan detector looks for single TCP packets that are not used in normal TCP operations. Such packets will have odd combinations of TCP flags set, or no flags set at all.

Upon arrival, a packetâ„¢s structure is checked for soundness. The packet is then tested to see if it is part of a scan currently in progress. This is achieved by comparing the packet type and source address to those of scans currently being investigated. If it is not part of a current scan, it becomes the starting node of a new scan. Otherwise, the matching scanâ„¢s packet count is incremented, and a check is made to determine whether the threshold of X packets sent in Y seconds was exceeded. If so, the scan is reported. The scan will also be reported, regardless of the threshold being broken, if the packet contained an abnormal TCP flag combination.

The current version of the Snort portscan detector has a couple notable shortcomings that can easily be used to evade portscan detection. First, it is unable to detect scans originating from multiple hosts. Also, the threshold is determined by a static combination of user specified numbers. The threshold is usually set high enough to allow for only a bearable amount of portscan false positives. As a result, it is very easy to avoid detection by increasing the time between sending scan probes.

The proposed project is a new portscanner which covers the shortcomings of the exisiting system.
Find
Reply
New Reply 

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: seminar on latest modification in ic engine pdf, intrusion detection with snort by jack koziol, java project on intrusion detection using snort tool with code, intrusion detection with snort jack koziol pdf, project for final year it with source code snort, source code for snort tool in java, network intrusion detection with snort,

[-]
Quick Reply
Message
Type your reply to this message here.
Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  A Novel method for Detection and Elimination of Modification Attack and TTL seminar class 0 942 04-05-2011, 11:02 AM
Last Post: seminar class

Forum Jump:

Contact Us | Student Seminar Report & Project Report With Presentation (PPT,PDF,DOC,ZIP) | Return to Top | Lite (Archive) Mode | RSS Syndication