Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 2.6.1 false negative - not detecting port scans

From: Hari Sekhon <hpsekhon () googlemail com>
Date: Fri, 13 Jun 2008 10:59:18 +0100
Hi,

   I have a couple of snort sensors with the sfportscan preprocessor 
enabled and set to sensitivity high with no ignored scanners and have 
then proceeded to test this using nmap to do the most standard syn and 
connect scans directly against those sensors and snort has failed on 
both sensors to detect this.

I am outputting to both syslog and base via barnyard and no portscan 
alerts have been logged, nor has the unified alert file grown at all, so 
snort is definitely not logging this. I am sure snort was logging this 
before the other day when I was testing this.

Any ideas why snort is failing such a basic test?

-h

-- 
Hari Sekhon


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: