Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cannot detect port scans

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 05 Oct 2004 14:32:45 -0400
At 02:03 PM 10/5/2004, RD R wrote:
I have snort running on an XP Pro box with MySQL and Acid and Winpcap. Everything is working fine, however I cannot detect port scans. I have run nmap and superscan against my network and I cannot detect them. I set the XP box to 0.0.0.0 for IP and I placed the box inside of the firewall. I spanned the ports on our cisco switch and I am monitoring any traffic that crosses the switch. I would like to include my snort.conf file so all can see it but when I do the list rejects my email :( How can I enable the port scan, I have uncommented the Flow port scan preproccesors. Thanks.
From looking at your snort.conf you've got flow-portscan enabled and your watchnet set to 10.2.0.0/30.
Have you fired up a packet sniffer such as packetyzer, windump, etc, to verify the portscans to 10.2.0.0/30 are actually reaching your snort box?
I know you've got a span port set on your switch, but I'd really suggest the sniffer so you can verify it's really doing what you think.
P.S. your snort.conf came across just fine in both of your previous posts (yesterday morning and this morning). Those rejection messages were probably generated by broken mailservers of some subscribers who don't understand RFC requirements for email return-paths, or are using crappy "mail filter" tools that don't understand RFC requirements. If you look closely you'll see it wasn't generated by a sourceforge machine, but some other network's broken mailserver and it's sending it to you (the message From: address) rather than the envelope return (which should go to the list admin).
Some of these systems bounce any message back in a broken manner that contain a single instance of a list of words like vulnerability or exploit thinking it's pornographic or ink thinking it's printer cartridge spam. Gotta love broken spam filtering with severely broken bouncing.
Ignore the broken rejections, or if the recipient is obvious report them to the list-admin so they can be removed from the list before they cause more trouble. 






-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: