Snort mailing list archives
Re: oh, come on
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 24 Sep 2003 15:27:31 -0400
At 02:27 PM 9/24/2003, Raymond Norton wrote:
Being the novice I am with compiling and diagnosing errors I was really proud of myself when I followed the redhat 9.0 install docs and got everything working. httpd, mysql, and snort are all running without complaint. I pulled up the nice acid page and commenced to do a port scan, but snort does not respond to it. My page stays the same (0 hits). I looked over the faq to see what might be there, and verified that I have everything set right. I substituted "log" with "alert" in the snort.conf without any luck.
Unless you have the portscan or portscan2 preprocessors, snort does not notice or care about trivial things like portscans.
Snort's ruleset in general looks for actual attack attempts. Packets that appear to be attempting overflows, exploitation of mis-features in DNS and the like.
Try using something like nessus, or adding a snort rule that will alert on anything.
Also be sure that the HOME_NET and EXTERNAL_NET definitions are appropriate relative to the attack you are trying.. In general most rules ignore attacks unless they come from a machine in EXTERNAL_NET and go to a machine in HOME_NET.
Portscans are so absurdly common these days that personally I give them no notice whatsoever. You may as well have a physical security guard make a note anytime a car enters your company parking lot containing more than one person.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- oh, come on Raymond Norton (Sep 24)
- Re: oh, come on Matt Kettler (Sep 24)
- Re: oh, come on Patrick Harper (Sep 27)
- <Possible follow-ups>
- Re: oh, come on Shawn Truax (Sep 26)