Snort mailing list archives

Re: nmap scans don't appear in portscan.log

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 1 Apr 2002 12:50:48 -0800 (PST)

On Mon, 1 Apr 2002, Salomon, Charlie wrote:

I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on Linux
(Slackware 7.1) with the default snort.conf file except for the HOME_NET
variable.  We use a 172.xx.x.0 internal network with a 255.255.252.0 mask.
The HOME_NET entry is 172.xx.x.0/22.

I ran nmap against the Snort box and the scans were properly detected.
However, when I ran a scan against nother machines on our network, the scans
were not detected.  I am running snort as a daemon with the following
parameters:


[...snip...]

From the snort.conf file:


# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
preprocessor portscan-ignorehosts: $DNS_SERVERS


Now, depending on a few things, you might not be tripping the preprocessor.
Have you changed the "4 3" config?  Are you using DNS_SERVERS?  If so, make
sure you're not trying to scan a host in the ignorelist.  What is the timing
level you're using for nmap (-T <option>)?

Sounds like a config issue, since you can see the packets on the wire when you
sniff for them....

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

nmap scans don't appear in portscan.log Salomon, Charlie (Apr 01)
- Re: nmap scans don't appear in portscan.log Erek Adams (Apr 01)
- <Possible follow-ups>
- Re: nmap scans don't appear in portscan.log Jason Yates (Apr 01)
- RE: nmap scans don't appear in portscan.log Estes, Matt: CPR / FCBS (Apr 02)
- RE: nmap scans don't appear in portscan.log Fallon, Benjamin (Apr 02)