Snort mailing list archives

RE: no portscan traffic

From: "Murray, Todd" <Todd.Murray () adidasus com>
Date: Wed, 21 Jul 2004 12:39:54 -0700
Your missing the conversation preprocessor and your portscan2 preprocessor
is incorrect.

Here is are mine.

preprocessor bo
preprocessor flow: stats_interval 0 hash 2 
preprocessor frag2  
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500 
preprocessor rpc_decode: 111 32771 
preprocessor stream4: disable_evasion_alerts 
preprocessor stream4_reassemble  
preprocessor telnet_decode  
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000 
preprocessor portscan2-ignorehosts: 10.1.5.0/24 10.2.5.0/24 10.1.2.4/32
10.1.10.2/32 10.1.10.7/32 10.1.2.5/32 10.2.2.3/32 
preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 30,
port_limit 40, timeout 40, log /var/log/snort/portscan2.eth0.log 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Adam Denenberg
Sent: Wednesday, July 21, 2004 10:44 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] no portscan traffic

i have flow-portscan2 enabled in snort.conf but no portscan traffic is
showing up in acid.  here are my plugins

any ideas?

[root@ids1 docs]# grep preprocessor /etc/snort/snort.conf

preprocessor frag2:  timeout 35, memcap 4194304, min_ttl 3, ttl_limit 8
preprocessor stream4: detect_scans, timeout 35, memcap 32000000, min_ttl 3, 
preprocessor stream4_reassemble: both, ports all
preprocessor http_inspect: global proxy_alert iis_unicode_map 
preprocessor http_inspect_server: server default profile all ports { 80 443
} 
preprocessor http_inspect_server: server 207.241.152.130  bare_byte no
preprocessor http_inspect_server: server 207.241.153.143  bare_byte no
preprocessor http_inspect_server: server 207.241.152.242  bare_byte no
preprocessor http_inspect_server: server 207.241.152.249  bare_byte no
preprocessor flow: stats_interval 0 hash 2
preprocessor flow-portscan: \
preprocessor rpc_decode: 111 32771
#preprocessor bo
preprocessor telnet_decode
#preprocessor arpspoof #preprocessor arpspoof_detect_host:
192.168.40.1 f0:0f:00:f0:0f:00


thanks
adam


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

no portscan traffic Adam Denenberg (Jul 21)
- <Possible follow-ups>
- RE: no portscan traffic Murray, Todd (Jul 21)
  - Re: no portscan traffic Max Valdez (Jul 23)