Snort mailing list archives
Portscan preprocessors
From: "Mike Feetham" <mike.feetham () percepta-crm com>
Date: Tue, 1 Jul 2003 14:45:24 -0400
I've been running Snort with Acid for awhile now, and everything seems to be working properly, except detection of portscans. I'm using Snort 2.0 on RH8, and I'm logging to a MySQL database. I tried enabling the portscan preprocessor in the snort.conf file: "preprocessor portscan: $HOME_NET 4 3 /var/log/portscan.log". I ran a few portscans to test the preprocessor, but I didn't see anything happening in the ACID console, though the scans appear in the /var/log/portscan.log file. Next I tried disabling this preprocessor, and enabling the conversation preprocessor: "preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000", as well as the portscan2 preprocessor: "preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60". After restarting snort, and running a few portscans, I'm still not seeing anything in the ACID console. Is there a parameter I'm missing to get snort to log these portscans into the MySQL database? Any help is appreciated, Mike F.
Current thread:
- Portscan preprocessors Mike Feetham (Jul 01)
- <Possible follow-ups>
- Re: Portscan preprocessors James Nonya (Jul 02)
- RE: Portscan preprocessors Michael Steele (Jul 02)