Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP Portscans Are Not Capture

From: "Grigoris Vidakis" <gvidakis () lab epmhs gr>
Date: Tue, 1 Oct 2002 11:31:13 +0300
hi all
gammon 's has a point!
  In order to be analyzed the udp portscans from snort, we must change the
line scansToWatch = ~(sRESERVEDBITS | sUDP) in the file spp_portscan.c
to, scansToWatch = ~(sRESERVEDBITS).
  So snort will look for all packets, except those which have the
reservedbits set. Previously snort was looking for all packets except the
previously AND THE UDP.


Dear Erek

i used the wildcard any in order to hide my network ip from the snort
list.Of course i use your suggestions


Don't use 'any'.  Set your HOME_NET to >10.10.10.0/24 (or whatever) and

then

EXTERNAL_NET to !$HOME_NET.  That will help >on a lot of false postives.


  My team ISL, is member of the honeynet alliance www.honeynet.org. So we
must get all the output which
snort provides(in any format), which is the input in our research! ( we use
and the above configuration in order to capture everything)
  log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session:
printable;)
  log udp any any <> $HOME_NET any (msg: "Unmatched UDP";session:
printable;)
  log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session:
printable;)


Only log one type of alerts.  Don't output to both full and >fast.  The

only

difference is the amount of info.  If you are using full then >you get all

the

same info as fast, just with a little bit extra.



Dear Jim
  The outtput of snort 1.8.3 is not generated from the -b option.


Or, is the case that the output of snort 1.8.3 (via -b) is becoming
the input to snort 1.8.7 (via -r)?  If this is the case, then Erek
correctly noted that the binary (libpcap format) output of 1.8.3 may
not be as complete as you think.  Specifically, the packets that
spp_portscan writes to its portscan.log file will only appear in that
file and will not appear in in binary output file.



Best Regards,
  grigoris



-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server 
today at http://www.ServePath.com/indexfm.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: