Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort won't detect any portscan activity

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 18 Feb 2002 11:58:07 -0500
First, I'd try setting HOME_NET to any as a quick test.
I'm guessing (wildly) that you have snort running on a Linux box that is doing address translation/masquerading/whatever for a small network. If you have snort listening on your outside interface HOME_NET should be the IP of that interface, not the address translated ones, since the 192.168.*.* addresses will never appear on that interface.
Also note, you will have to generate attacks from the outside world heading in to your network, not from the inside heading out. Snort only monitors for portscans being run against HOME_NET (ie: any portscans being run from HOME_NET will generaly not be detected).
Please include some more details about your setup and the scans you are running if this isn't helpful to you. 


At 12:35 PM 2/17/2002 +0100, Alen Salamun wrote:

Hello!

I have been trying to get snort up and running on my Mandrake 8.1.
Everything works OK, but snort won't detect anykind of portscans
(nmap -sS, -sT) at all. Portscans go through I don't block them with
iptables. I tried some other rules and they worked.

I have mandrake 8.1 and Snort 1.8.3 precompiled from site and even
recompiled it myself. Configuration:

var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 3 5 /var/log/snort/portscan.log
and all the normal includes....

Where Do I lie wrong?

Bye, Alen



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: