Snort mailing list archives
RE: no portscan traffic
From: "Murray, Todd" <Todd.Murray () adidasus com>
Date: Wed, 21 Jul 2004 12:39:54 -0700
Your missing the conversation preprocessor and your portscan2 preprocessor is incorrect. Here is are mine. preprocessor bo preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor telnet_decode preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 preprocessor portscan2-ignorehosts: 10.1.5.0/24 10.2.5.0/24 10.1.2.4/32 10.1.10.2/32 10.1.10.7/32 10.1.2.5/32 10.2.2.3/32 preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 30, port_limit 40, timeout 40, log /var/log/snort/portscan2.eth0.log -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Adam Denenberg Sent: Wednesday, July 21, 2004 10:44 AM To: snort-users () lists sourceforge net Subject: [Snort-users] no portscan traffic i have flow-portscan2 enabled in snort.conf but no portscan traffic is showing up in acid. here are my plugins any ideas? [root@ids1 docs]# grep preprocessor /etc/snort/snort.conf preprocessor frag2: timeout 35, memcap 4194304, min_ttl 3, ttl_limit 8 preprocessor stream4: detect_scans, timeout 35, memcap 32000000, min_ttl 3, preprocessor stream4_reassemble: both, ports all preprocessor http_inspect: global proxy_alert iis_unicode_map preprocessor http_inspect_server: server default profile all ports { 80 443 } preprocessor http_inspect_server: server 207.241.152.130 bare_byte no preprocessor http_inspect_server: server 207.241.153.143 bare_byte no preprocessor http_inspect_server: server 207.241.152.242 bare_byte no preprocessor http_inspect_server: server 207.241.152.249 bare_byte no preprocessor flow: stats_interval 0 hash 2 preprocessor flow-portscan: \ preprocessor rpc_decode: 111 32771 #preprocessor bo preprocessor telnet_decode #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 thanks adam ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- no portscan traffic Adam Denenberg (Jul 21)
- <Possible follow-ups>
- RE: no portscan traffic Murray, Todd (Jul 21)
- Re: no portscan traffic Max Valdez (Jul 23)