Snort mailing list archives

RE: nmap scans don't appear in portscan.log

From: "Fallon, Benjamin" <bfallon () Businessedge com>
Date: Tue, 2 Apr 2002 06:03:46 -0500

Cisco calls em span ports.

Ben

(Just had to  get my two cents in there ;-) )
-----Original Message-----
From: Jason Yates [mailto:jyates () dataservice org] 
Sent: Monday, April 01, 2002 3:56 PM
To: Salomon, Charlie
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] nmap scans don't appear in portscan.log


On Mon, 2002-04-01 at 15:24, Salomon, Charlie wrote:

I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on 
Linux (Slackware 7.1) with the default snort.conf file except for the

HOME_NET variable.  We use a 172.xx.x.0 internal network with a
255.255.252.0 mask.  The HOME_NET entry is 172.xx.x.0/22.


I ran nmap against the Snort box and the scans were properly detected.  
However, when I ran a scan against nother machines on our network, the 
scans were not detected.  I am running snort as a daemon with the 
following parameters:

snort -b -y -A fast -c snort.conf -M wrkstns -D

I ran snort -vde, and I am seeing packets from other machines. All 
scans are from an internal machine to other internal machines, and on the

same subnet.

All preprocesors pertaining to scans are active as well as the scan.rules.


Unless you have snort hooked up to a monitor port, on switch or something.
Snort can't see the traffic, therefore it can't report bad traffic.  You
should probably check with your Network Administrator, and ask him/her to
make a monitor port on your switch.  I actually duplicate all the traffic
going to and from my router port on to another port, which is hooked up to a
monitor server.  3com switches call this feature roving analysis, and I
can't remember what cisco calls it.

If you need any help email me.

-Jason


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

nmap scans don't appear in portscan.log Salomon, Charlie (Apr 01)
- Re: nmap scans don't appear in portscan.log Erek Adams (Apr 01)
- <Possible follow-ups>
- Re: nmap scans don't appear in portscan.log Jason Yates (Apr 01)
- RE: nmap scans don't appear in portscan.log Estes, Matt: CPR / FCBS (Apr 02)
- RE: nmap scans don't appear in portscan.log Fallon, Benjamin (Apr 02)