Snort mailing list archives

Re: not logging portscans

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 May 2002 21:39:57 -0400

Is your snort sensor attached to a network switch? what about a "dual speedauto switching hub"?

Snort can only see what goes by the ethernet it's attached to, and networkswitches only send traffic to the machines that need it. (ie: you'll seebroadcasts, like ARPs from other machines, but no traffic sent to themalone). Internally auto switching hubs are more like a 10mbit hub and a100mbit hub with a 2 port switch between them, so the 10mbit ports don'tsee traffic exclusively between two 100mbit ports, or vice versa.

You can tinker around a bit using tcpdump to see what's going by yourethernet port to see if it's an ethernet level problem, or a snortconfiguration problem.



At 01:47 PM 5/23/2002 +0100, Fage Martin wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello
Snort doesnt seem to detect any portscanning activity except when
directly scanning snort
machine!
Any ideas?
        Thanks



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPOzk5oM7OF/nbs7zEQJnyACfbuucvZZ8WdxKJjSYlX0lZwjhe4MAoPtF
khS+ePmh0zVGPxBG/3nmFbbE
=HX1T
-----END PGP SIGNATURE-----

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

not logging portscans Fage Martin (May 23)
- Re: not logging portscans Matt Kettler (May 23)
- <Possible follow-ups>
- RE: not logging portscans McCammon, Keith (May 23)