Snort mailing list archives

Previous By Date Next
Previous By Thread Next

No portscan traffic?

From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Fri, 16 Jan 2004 14:31:50 -0500
I had this working with 2.0.1 but now with 2.1.0, I no longer have portscan
traffic showing up in ACID. 

I imagine it has something to do with my configuration but I don't see what
it is that I am doing wrong. Does anyone see the obvious that I am missing?

preprocessor flow: stats_interval 300 hash 1
preprocessor portscan: 172.16.0.0/16 5 6 /var/snort/portscan/lan.portscan
preprocessor frag2
preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server 172.16.0.140 profile apache ports {
80 443 12345 }
preprocessor http_inspect_server: server 172.16.0.8 profile apache ports {
80 443 3852 18080 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [172.16.0.55/32,172.16.0.140/32] \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [192.168.200.0/24] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on
preprocessor perfmonitor: time 300 flow events file
/var/ssnort/performance/snort.stats pktcnt 10000
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=snortdb password=somepassword
dbname=snort host=localhost sensor_name=LAN

Best regards,

Michael D. Peters 




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: