Snort mailing list archives
Re: UDP Portscans Are Not Capture
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 30 Sep 2002 07:24:33 -0700 (PDT)
On Mon, 30 Sep 2002, Grigoris Vidakis wrote:
I run snort Version 1.8.3 (Build 88) in linux 7.2 (2.4.17) which alert me for the udp portscans correctly (portscan.log, snort.fast,snort.full) BUT when i run snort Version 1.8.7 (Build 128) in linux 7.3 (2.4.18-3) with the same snort.conf and a snort binary file as the input (-r), captured from 1.8.3, which had alerted me about udp portscans), snort 1.8.7 does not alert the udp portscans!!!
There are a couple of things that you need to consider. You are having trouble with a pcap file on one version and not the other... But, you also changed versions of OS, Kernel, and most importantly libpcap. spp_portscan doesn't send packets into the log or alert facility. It just sends an alert when it spots a scan. Unless you're logging every packet to that box in pcap file, you won't have the packets that triggered the portscan. Unless that packet also triggered a rule--That would trigger the rule and log the packet. And a couple of helpful suggestions below:
Below is the snort.conf which i use for the 2 sensors. var HOME_NET any var EXTERNAL_NET any var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var HTTP_PORTS any
Don't use 'any'. Set your HOME_NET to 10.10.10.0/24 (or whatever) and then EXTERNAL_NET to !$HOME_NET. That will help on a lot of false postives.
preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output log_tcpdump: snort.log output alert_full: snort_full output alert_fast: snort_fast
Only log one type of alerts. Don't output to both full and fast. The only difference is the amount of info. If you are using full then you get all the same info as fast, just with a little bit extra.
does anyone have an idea about what is wrong??
Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)
- Re: UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)
- Re: UDP Portscans Are Not Capture James Hoagland (Sep 30)
- Re: UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- <Possible follow-ups>
- RE: UDP Portscans Are Not Capture McClure Gammon (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)