Re: preprocessor sfportscan does not generate alerts

[Marc Belanger <mab_snort () hotmail com>]

Thanks for your reply...
Q: "do you have those specific rules enabled?"A: My understanding is that by removing the # character the preprocessor 
is activated.     I am not aware of a sfportscan.rule file.    scan.rules is not commented out (no # in front of it)
Q: "do your scans follow the specific portscan rules that snort has in the preprocessor?"A: preprocessor sfportscan: 
proto  { tcp } scan_type { all } (...)    or preprocessor sfportscan: proto  { all } scan_type { all } (...)    does 
not generate alerts for     nmap -sS <dest_ip_address>

> Date: Fri, 15 Feb 2013 23:10:52 -0500
> From: wkitty42 () windstream net
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] preprocessor sfportscan does not generate alerts
>
> On 2/15/2013 17:04, Marc Belanger wrote:
> > Hi,
> >
> > How do I troubleshoot a Snort install that generates no alert when the
> > sfportscan preprocessor is activated?
>
> do you have those specific rules enabled?
>
> do your scans follow the specific portscan rules that snort has in the preprocessor?
>
> i have seen some scans that do not trigger because there are no rules for 
> them... or they don't comply with the existing rules...
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
> is your hub for all things parallel software development, from weekly thought 
> leadership blogs to news, videos, case studies, tutorials, tech docs, 
> whitepapers, evaluation guides, and opinion stories. Check out the most 
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!