Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Flow-portscan oddity

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Tue, 13 Apr 2004 16:21:16 -0500
I haven't attempted the syslog method of alerting, but I doubt that's
it, being that their alerting method is centralized.  Have you generated
alerts on your own and verified them?

I've just attempted using your config with our setup, and again it did
not see my scans (and no, they did not originate from $HOME_NET).
What's your config for the flow preproc?

________________________________

From: Todd_Pratt () hartehanks com [mailto:Todd_Pratt () hartehanks com] 
Sent: Tuesday, April 13, 2004 2:02 PM
To: Douglas McCrea
Cc: Snort Users; snort-users-admin () lists sourceforge net
Subject: RE: [Snort-users] Flow-portscan oddity



flow-portscan works for me.  I get between 20 and 40 alerts per hour.
The only output I use is syslog so I don't know if that makes a
difference. 

Here's the line I use: 

        preprocessor flow-portscan: alert-mode once src-ignore-net
$HOME_NET 

I'm running 2.1.2 build 25 

Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt () hartehanks com 



"Douglas McCrea" <dmccrea () rutgers edu> 
Sent by: snort-users-admin () lists sourceforge net 

04/13/2004 11:56 AM 

        
To
        "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> 
cc
        "Snort Users" <snort-users () lists sourceforge net> 
Subject
        RE: [Snort-users] Flow-portscan oddity

        




I've posted the same findings a few times to this list with little
response. You can use Portscan2 until someone fixes this. I've never
really gotten a satisfactory answer except, "yeah, it's your fault-
check the docs." or "Yeah, we know about some problems." But there has
never been a public acknowledgement that flow-portscan doesn't work or a
timeframe when a fix could be expected. Flow-portscan doesn't work for
me or anyone else I know. The lack of responses is most likely due to
nobody else getting this to work either.

-Doug

-----Original Message-----
From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl () umb com] 
Sent: Tuesday, April 13, 2004 11:22 AM
To: Martin Roesch; Guillaume Arcas
Cc: Snort Users
Subject: RE: [Snort-users] Flow-portscan oddity


Yes, everyone says this... And I've checked it out many times over, and
adjusted my numbers accordingly... And yet... Not a single alert.   I've
tried the different alert modes, different output methods... Very small
numbers on requirements.

But it seems to me that the default setup, by my reading of the doc
file... If I were to scan a system on that network across all 65535
ports in the span of 15 seconds, that there should be at least 1 (ONE)
alert.  But when I do the same thing across 30 machines on the same
network and all 65k ports in the span of a few minutes, nothing as well.
So it seems to me that there is either something wrong with either or
both of the documentation and the preprocessor.

If it comes down to it, I have copies of the 20 or so different configs
I've run. 

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: Tuesday, April 13, 2004 8:56 AM
To: Guillaume Arcas
Cc: Snort Users
Subject: Re: [Snort-users] Flow-portscan oddity

Check out README.flow-portscan in the doc directory of your snort
distro.

     -Marty

On Apr 13, 2004, at 2:31 AM, Guillaume Arcas wrote:


Kreimendahl, Chad J a dit :


Using the default configuration for flow and flow portscan... And 
testing it on an external interface... We're seeing absolutely no 
alerts triggered.  I've attempted using many output mechanisms, 
hoping that it
wasn't the method we were using, and the results are the same.   I'm
100% positive there were several scans happening on this same 
interface, as I ran portscan2 at the same time with a different 
snort, on the same
interface.   Many noisy ugly alerts from portscan2... Nothing from
flow-portscan.


Same for me...

Is there anywhere out of the code itself some documentation about this



plugin and its configuration ?


--
Guillaume Arcas

--------------------------------------------------
Il faut nous quitter. Nous sommes deux enfants, nous avons fait une 
folie. (Yvonne de Galais)


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux 
tutorial presented by Daniel Robbins, President and CEO of GenToo 
technologies. Learn everything from fundamentals to system 
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring roesch () sourcefire com -
http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: