Snort mailing list archives
Re: UDP Portscans Are Not Capture
From: "Grigoris Vidakis" <gvidakis () lab epmhs gr>
Date: Mon, 30 Sep 2002 18:53:19 +0300
dear sir i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it capture and aler me for upd portscans BUT in the same box which the same kernel and libpcap the snort Version 1.8.7 (Build 128) does not capture them.. I am going crazy!!! thanks for your time ----- Original Message ----- From: "Erek Adams" <erek () theadamsfamily net> To: "Grigoris Vidakis" <gvidakis () lab epmhs gr> Cc: <snort-users () lists sourceforge net> Sent: Monday, September 30, 2002 5:24 PM Subject: Re: [Snort-users] UDP Portscans Are Not Capture
On Mon, 30 Sep 2002, Grigoris Vidakis wrote:I run snort Version 1.8.3 (Build 88) in linux 7.2 (2.4.17) which alert
me
for the udp portscans correctly (portscan.log, snort.fast,snort.full)
BUT
when i run snort Version 1.8.7 (Build 128) in linux 7.3 (2.4.18-3) with
the
same snort.conf and a snort binary file as the input (-r), captured from 1.8.3, which had alerted me about udp portscans), snort 1.8.7 does not
alert
the udp portscans!!!There are a couple of things that you need to consider. You are having trouble with a pcap file on one version and not the other... But, you
also
changed versions of OS, Kernel, and most importantly libpcap. spp_portscan doesn't send packets into the log or alert facility. It just sends an alert when it spots a scan. Unless you're logging every packet
to
that box in pcap file, you won't have the packets that triggered the
portscan.
Unless that packet also triggered a rule--That would trigger the rule and
log
the packet. And a couple of helpful suggestions below:Below is the snort.conf which i use for the 2 sensors. var HOME_NET any var EXTERNAL_NET any var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var HTTP_PORTS anyDon't use 'any'. Set your HOME_NET to 10.10.10.0/24 (or whatever) and
then
EXTERNAL_NET to !$HOME_NET. That will help on a lot of false postives.preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output log_tcpdump: snort.log output alert_full: snort_full output alert_fast: snort_fastOnly log one type of alerts. Don't output to both full and fast. The
only
difference is the amount of info. If you are using full then you get all
the
same info as fast, just with a little bit extra.does anyone have an idea about what is wrong??Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)
- Re: UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)
- Re: UDP Portscans Are Not Capture James Hoagland (Sep 30)
- Re: UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- <Possible follow-ups>
- RE: UDP Portscans Are Not Capture McClure Gammon (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)