![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: nmap scans don't appear in portscan.log
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 1 Apr 2002 12:50:48 -0800 (PST)
On Mon, 1 Apr 2002, Salomon, Charlie wrote:
I'm a Snort newbie and need some help. I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf file except for the HOME_NET variable. We use a 172.xx.x.0 internal network with a 255.255.252.0 mask. The HOME_NET entry is 172.xx.x.0/22. I ran nmap against the Snort box and the scans were properly detected. However, when I ran a scan against nother machines on our network, the scans were not detected. I am running snort as a daemon with the following parameters:
[...snip...]
From the snort.conf file:
# portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. preprocessor portscan: $HOME_NET 4 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # preprocessor portscan-ignorehosts: $DNS_SERVERS Now, depending on a few things, you might not be tripping the preprocessor. Have you changed the "4 3" config? Are you using DNS_SERVERS? If so, make sure you're not trying to scan a host in the ignorelist. What is the timing level you're using for nmap (-T <option>)? Sounds like a config issue, since you can see the packets on the wire when you sniff for them.... Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- nmap scans don't appear in portscan.log Salomon, Charlie (Apr 01)
- Re: nmap scans don't appear in portscan.log Erek Adams (Apr 01)
- <Possible follow-ups>
- Re: nmap scans don't appear in portscan.log Jason Yates (Apr 01)
- RE: nmap scans don't appear in portscan.log Estes, Matt: CPR / FCBS (Apr 02)
- RE: nmap scans don't appear in portscan.log Fallon, Benjamin (Apr 02)