Snort mailing list archives
Preprocessor PortScan2 is not doing what it.....
From: "mike Hughes" <mikehughes013 () hotmail com>
Date: Fri, 14 Mar 2003 21:42:18 -0800
Hello,I ran into a problem with "preprocessor portscan2",My snort.conf file is below. When i add eth0_ADDRESS to:
preprocessor portscan2-ignorehosts: $DNS_SERVERS $eth0_ADDRESSSNORT starts PROPERLY and it stops alerting the webtraffic, "thats what i want", BUT it also STOPS alerting me for PORTSCANS i checked this twice, once with it on the line and once with out it and when it wasnt there it LOGGED MY PORT SCANS **(SOO im not sure what to try now to get rid of the WEBTRAFFIC but still LOG PORTSCANS???)**
"nmap -vv -sS -P0 -p1-50 eth0_ADDDRESS IP" --from a machine on different network-- HERE IS what got LOGGED to ACID with out the eth0_ADDRESS on the portscan 2 ignore line:
[snort] (spp_portscan2) Portscan detected from 152.175.40.197: 1 targets 16 ports in 6 seconds 2003-03-14 21:52:08 152.175.40.197:35456 152.175.60.183:20 TCP #1-(2-1624) [snort] (spp_portscan2) Portscan detected from 152.175.40.197: 1 targets 16 ports in 12 seconds 2003-03-14 21:51:14 152.175.40.197:35453 152.175.60.183:19 TCP #2-(2-1623) [snort] (spp_portscan2) Portscan detected from 152.175.40.197: 2 targets 16 ports in 18 seconds 2003-03-14 21:50:38 152.175.40.197:35453 152.175.60.183:1 TCP
Here is my NETWORK setup again! eth1--->192.168.0.1 LAN INTERFACE eth0--->INTERNET INTERFACE INETERNET---->FIREWALL(snort)---->LAN **Here is my "/etc/snort/snort.conf"** "DOESNT LOG with this setup" var HOME_NET $eth0_ADDRESS var EXTERNAL_NET !$HOME_NET var DNS_SERVERS 192.168.0.1 var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemblepreprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decodepreprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2-ignorehosts: $DNS_SERVERS $eth0_ADDRESSpreprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 15, timeout 60 output database: alert, mysql, user=snort password=snort dbname=snort host=127.0.0.1
include classification.config include reference.config include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-coldfusion.rules include web-iis.rules include web-frontpage.rules include web-misc.rules include web-client.rules include web-php.rules include sql.rules include x11.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules include oracle.rules include mysql.rules include snmp.rules include smtp.rules include imap.rules include pop3.rules include pop2.rules include nntp.rules include other-ids.rules include icmp-info.rules include experimental.rules include local.rules _________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-------------------------------------------------------This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Preprocessor PortScan2 is not doing what it..... mike Hughes (Mar 14)
- Re: Preprocessor PortScan2 is not doing what it..... Alberto Gonzalez (Mar 14)