Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.6.1 false negative - not detecting port scans

From: Hari Sekhon <hpsekhon () googlemail com>
Date: Thu, 19 Jun 2008 09:32:17 +0100
For this sensor it is sensing on the same nic as the mgmt address so I 
am scanning that address.

This sensor is really a test sensor against which I've been trying 
various things out (which is why the sensing interface is the same as 
the mgmt interface). I made massive changes to the snort.conf in the 
course of tuning it, and I am scanning from the same subnet. Having just 
written this I realised that my EXTERNAL_NET was set to !$HOME_NET so 
this was probably stopping it from detecting the traffic. Switching this 
to any seems to again pick up scans from my workstation now. I forgot 
that the preprocessors may also use EXTERNAL_NET, not just the rules...

Thanks

-h

Seth wrote:

Where is the scan being run from?  Same subnet?  Behind a firewall?

You mention you are doing the scan against the sensors. Are you
scanning the sensor MGMT IP address or the network that the sensor is
protecting?

Regards,

Seth

On Fri, Jun 13, 2008 at 5:59 AM, Hari Sekhon <hpsekhon () googlemail com> wrote:
  

Hi,

  I have a couple of snort sensors with the sfportscan preprocessor
enabled and set to sensitivity high with no ignored scanners and have
then proceeded to test this using nmap to do the most standard syn and
connect scans directly against those sensors and snort has failed on
both sensors to detect this.

I am outputting to both syslog and base via barnyard and no portscan
alerts have been logged, nor has the unified alert file grown at all, so
snort is definitely not logging this. I am sure snort was logging this
before the other day when I was testing this.

Any ideas why snort is failing such a basic test?

-h

--
Hari Sekhon
    

-- 
Hari Sekhon


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: