Abstract
This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. Scan detection algorithms used by the Snort and Bro intrusion detection systems are critiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought by analysing the detection algorithms. The Snort and Bro algorithms are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Irwin, B., van Riel, J.P. (2008). Using InetVis to Evaluate Snort and Bro Scan Detection on a Network Telescope. In: Goodall, J.R., Conti, G., Ma, KL. (eds) VizSEC 2007. Mathematics and Visualization. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78243-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-78243-8_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-78242-1
Online ISBN: 978-3-540-78243-8
eBook Packages: Computer ScienceComputer Science (R0)