Re: port scan detection

[Soniya Balram <sonia_balram () yahoo com>]

Hi all,
sfportscan preprocessor is generating alerts now. I added logfile { portscan.log } to the preprocessor config in 
snort.conf.

Is there some documentation on how sfportscan is implemented?

Regards
Soniya

--- On Mon, 20/10/08, Soniya Balram <sonia_balram () yahoo com> wrote:

> From: Soniya Balram <sonia_balram () yahoo com>
> Subject: [Snort-users] port scan detection
> To: snort-users () lists sourceforge net
> Date: Monday, 20 October, 2008, 10:13 AM
> Hi all,
> I use Snort version 2.8.3.1 on a windows xp machine. I want
> to detect port scans. I have enabled sfportscan
> preprocessor. The config is:
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          scan_type { all } \
>                          sense_level { high } \
>                          detect_ack_scans
> I have also enabled stream4 preprocessor. The config is:
> preprocessor stream4: detect_scans
>
> I have not enabled any rules. I use nmap to generate
> different types of scans but no alerts are generated.
>
> To test snort, I wrote a rule:
> alert tcp any any -> any any (msg:"got an tcp
> packet"; sid:2000000; rev:1;)
> This results in alerts. 
>
> Can anyone help.
>
> Regards
> Soniya
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com 
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> #
> " This e-mail and any attached documents may contain
> confidential or proprietary information. If you are not the
> intended recipient, please advise the sender immediately and
> delete this e-mail and all attached documents from your
> computer system. Any unauthorised disclosure, distribution
> or copying hereof is prohibited."
>
>  " Ce courriel et les documents qui y sont attaches
> peuvent contenir des informations confidentielles. Si vous
> n'etes  pas le destinataire escompte, merci d'en
> informer l'expediteur immediatement et de detruire ce
> courriel  ainsi que tous les documents attaches de votre
> systeme informatique. Toute divulgation, distribution ou
> copie du present courriel et des documents attaches sans
> autorisation prealable de son emetteur est interdite."
> #


      

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users