Snort mailing list archives
Portscan.log
From: <ids-lists () talk21 com>
Date: Thu, 30 Aug 2001 18:19:28 +0100
Sorry for the newbie question but I am having strange results with my /var/log/snort/portscan.log. If I port scan a machine on the same net as my snort box sometimes the portscan.log file is populated with the details of the scan but most of the time it fails to register the portscan. I am running 1.8.1 with this command line /usr/local/bin/snort -D -c /etc/snort/snort.conf with the following snort.conf: var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor defrag preprocessor frag2 preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor unidecode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log preprocessor arpspoof output alert_syslog: LOG_AUTH LOG_ALERT include classification.config include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules include shellcode.rules include misc.rules include policy.rules include info.rules include icmp-info.rules include virus.rules include local.rules _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan.log ids-lists (Aug 30)
- RE: Portscan.log John Berkers (Sep 01)