Snort mailing list archives

Previous By Date Next
Previous By Thread Next

port scan detection

From: Soniya Balram <sonia_balram () yahoo com>
Date: Sun, 19 Oct 2008 21:43:00 -0700 (PDT)
Hi all,
I use Snort version 2.8.3.1 on a windows xp machine. I want to detect port scans. I have enabled sfportscan 
preprocessor. The config is:
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         scan_type { all } \
                         sense_level { high } \
                         detect_ack_scans
I have also enabled stream4 preprocessor. The config is:
preprocessor stream4: detect_scans

I have not enabled any rules. I use nmap to generate different types of scans but no alerts are generated.

To test snort, I wrote a rule:
alert tcp any any -> any any (msg:"got an tcp packet"; sid:2000000; rev:1;)
This results in alerts. 

Can anyone help.

Regards
Soniya

Send instant messages to your online friends http://uk.messenger.yahoo.com 

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: