Snort mailing list archives
Re: Port scanning
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 17 Sep 2001 07:04:42 -0700 (PDT)
On Mon, 17 Sep 2001, Subba Rao wrote:
I am running Snort with the following command line options. ./bin/snort -l ./logs -c ./etc/snort.conf -o -b -A fast -z est -i eth0 -p -t /usr/snort -g snort -u snort
Normal enough.
In "snort.conf" I have the following configuration, preprocessor stream4: detect_scans preprocessor portscan: $HOME_NET 4 3 portscan.log
Normal.
Now, I dial to the Internet using another system and run a portscan on the Snort box. All I am seeing is some ICMP "Echo Reply" logged into the "alerts" file. There is nothing logged into "portscan.log" while the ipchains is logging each port connect attempt into syslog.
Not so normal. :)
What do I need to modify in the configuration file or on the command line options to log the port scans?
I'm assuming eth0 is a normal ethernet interface. Nothing odd like PPoE and the like... It would seem that IPchains is 'intercepting' and 'blocking' the packets before they are able to be processed. This has been bounced around on the list quite a bit, so I'd suggest searching the archives before taking my words on it! :) Good Luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port scanning Subba Rao (Sep 17)
- Re: Port scanning Erek Adams (Sep 17)
- XML Output acz [iSecureLabs] (Sep 17)
- Re: Port scanning Erek Adams (Sep 17)
- Re: Port scanning Subba Rao (Sep 18)
- Re: Port scanning Erek Adams (Sep 17)