Snort mailing list archives
Snort-2.1.3 Portscan
From: "McCash, John" <John.McCash () andrew com>
Date: Mon, 16 Aug 2004 14:19:46 -0500
One thing I should clarify about my previous post; You can get portscan alerts to log and display in the ACID atlert pages, just not in the main page with the traffic profile bars. It also doesn't display in a very readable format, as you have to set output-mode to 'pktkludge' in the flow-portscan configuration section. John McCash -----Original Message----- From: McCash, John Sent: Monday, August 16, 2004 2:10 PM To: 'Scott Elgram'; snort-users () lists sourceforge net; 'erek () snort org' Subject: RE: [Snort-users] Snort-2.1.3 Portscan Scott, This needs to go in the FAQ. Because Roman hasn't updated ACID in ages, it lacks support for flow-portscan. To get ACID to properly recognize portscans, you need to go back to portscan2, which is still implemented in the code, but no longer listed in the default conf file. There are a number of articles in the snort-users mailinglist archives that address this, including http://marc.theaimsgroup.com/?l=snort-users&m=109044048107572&w=2. On a side note, Roman is purportedly working on a major update for ACID in conjunction with other work, but it's apparently going slow. We're hoping for something in the Q1 '05' timeframe. John McCash -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Scott Elgram Sent: Monday, August 16, 2004 10:45 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort-2.1.3 Portscan Hello, I am trying to configure a SNORT 2.1.3 system with MySql and Acid. I have it all up and running just fine right now except for one thing. I can't seem to get anything to register in the port scan traffic section of Acid. I have looked through my Snort.conf for anything and found the flow-portscan preprocessor. I uncommented it and configured it as follows: -------------------------------------------------------- preprocessor flow-portscan: \ unique-memcap 5000000 \ unique-rows 50000 \ server-watchnet [192.168.0.0/24] \ server-learning-time 300 \ server-scanner-limit 50 \ alert-mode once \ output-mode msg \ tcp-penalties on -------------------------------------------------------- Even with this configuration I still can't seem to get anything to register in that particular section. I am using superscan and scanning various IP's on the network SNORT is watching. Have I configured this wrong maybe? Thanks, -Scott ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ------------------------------------------------------------------------------------------------ [mf2] ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-2.1.3 Portscan Scott Elgram (Aug 16)
- Message not available
- Re: Snort-2.1.3 Portscan Scott Elgram (Aug 16)
- Message not available
- <Possible follow-ups>
- RE: Snort-2.1.3 Portscan McCash, John (Aug 16)
- Re: Snort-2.1.3 Portscan Scott Elgram (Aug 23)
- Snort-2.1.3 Portscan McCash, John (Aug 16)
- RE: Snort-2.1.3 Portscan McCash, John (Aug 24)
- Re: Snort-2.1.3 Portscan Scott Elgram (Aug 24)