Re: how to disable spp_porscan?

[robe () alfa21 com (Roberto Suarez Soto)]

On Dec/18, Phil Wood wrote:

> There is no way that the portscan preprocessor will run if you have
> commented it out of your config file.  Since you have shown us a config file
> with it commented out.  Run snort without the quiet option, and send us
> the command line you use to start snort as well as the configuration file.

        I've already done so in another message addressed to Chris Green,
please see it. I'll try the "quiet" thing just as I finish this message :-)

> Also, depending on who designed you configuration, you might have "include"
> files in your "conf" file which negate anything you think you might have
> done to turn off portscan. 

        Well, I have indeed a include, which includes the rest of the .rules
files in /etc/snort. But I think that the alerts that I reported are not from
those files. At least, it shouldn't :-)

> And finally, the next time you request help.  Please include information
> like.  Operating system you are running, version of that operating system,
> where you obtained snort, who compiled it, who configured it, what
> version are you running, what snort command line options you use, the
> contents of your configuration file, and in addition anything else that
> might help someone figure out what the hell you are doing.

        Ooops. My humble excuses O:-) I was quite pissed off for not knowing
what the hell was happening, and surely that reflected in my messages. I'm
sorry, what more can I say :-)

        Well, better late than never. As I said to Chris, I built snort
myself, using the Debian templates for 1.8p1 version, and changing a few
things (basically, just removing mysql support and adding postgresql support
instead). The sources were downloaded from snort's home page. Anyway, as for
the rest of the information:

        - OS is Debian, more or less experimental (i.e., many packages from
          "sid" version)
        - Kernel is Linux 2.4.14, with patches for aacraid cards
        - Version of packages related to snort:
                - libc6 2.2.4 (debian package 2.2.4-6)
                - libpcap 0.6.2 (debian package 0.6.2-2)
        - Rules are from day 2001-12-14 (downloaded from snort's home page)
        - The box is a firewall with 3 ethernet cards, and snort is listening
          on eth0. This interface has 9 IPs, for masquerading and
          port-forwarding of several servers behind it. It also works as IPSec
          gateway. IPSec is working in the same eth0.

        I don't know if I should give any more info. If so, just ask :-)

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users