Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not seeing all traffic?

From: PJ <p.jones.ml () xsb com>
Date: Thu, 24 Apr 2003 14:36:23 -0400
Ok, following what you said, I looked for the preprocessor lines in my config and saw nothing for portscan2, I created the preprocessor, though I was wondering if I should leave all the values blank?
Also, I checked the rules and noted that the ones I was concerned about (cmd.exe ...) are activated...why would Snort not see this type of attack (my guess is several reasons, all that are beyond my education level at this moment I fear)? 

Thanks for all the help folks.

~PJ

  At 08:48 AM 4/24/2003 -0700, Erick Mechler wrote:

:: I am referring to "alerts" I guess... With that said, I can not find
:: "rules" via snort-center, that pertain to port scanning and or the exploits 
:: like cmd.exe and root.exe... As for the rest, should I run something like
:: Ethereal and check traffic that way?

Portscanning is taken care of via the portscan2 preprocessor (Config Types
--> Preprocessors --> Create preprocessors).  As for the cmd.exe and
root.exe rules, check SIDs 1661, 1002, and 1256 among others.

Re: Ethereal, that's just a sniffer, so unless you actually want to look
through all your packets looking for bad stuff, I'd just stick with
customizing your Snort rulebase to fit your needs.

Cheers - Erick




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: