Snort mailing list archives

Previous By Date Next
Previous By Thread Next

No portscan showing in ACID anymore?

From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Wed, 14 Jan 2004 15:24:28 -0500
I no longer have portscan traffic showing up in ACID. I imagine it has
something to do with my configuration.

Does anyone see the obvious that I am missing?

preprocessor flow: stats_interval 300 hash 1
preprocessor portscan: 172.16.0.0/16 5 6 /var/snort/portscan/lan.portscan
preprocessor frag2
preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server 172.16.0.140 profile apache ports {
80 443 12345 }
preprocessor http_inspect_server: server 172.16.0.8 profile apache ports {
80 443 3852 18080 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [172.16.0.55/32,172.16.0.140/32] \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [192.168.200.0/24] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on
preprocessor perfmonitor: time 300 flow events file
/var/ssnort/performance/snort.stats pktcnt 10000
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=snortdb password=somepassword
dbname=snort host=localhost sensor_name=LAN

Best regards,

Michael D. Peters 



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: