Re: preprocessor sfportscan does not generate alerts

[waldo kitty <wkitty42 () windstream net>]

On 2/18/2013 12:16, Marc Belanger wrote:
> Thanks for your reply...
>
> Q: "do you have those specific rules enabled?"
> A: My understanding is that by removing the # character the preprocessor is
> activated.
> I am not aware of a sfportscan.rule file.
> scan.rules is not commented out (no # in front of it)
>
> Q: "do your scans follow the specific portscan rules that snort has in the
> preprocessor?"
> A: preprocessor sfportscan: proto { tcp } scan_type { all } (...)
> or preprocessor sfportscan: proto { all } scan_type { all } (...)
> does not generate alerts for nmap -sS <dest_ip_address>

right... some scans are not detected by the portscanner... there are specific 
rules written for them... in this particular case, the EmergingThreats rule 
1:2000537 or 1:2000545 covers "nmap -sS"... i count at least twenty-five (25) 
nmap related rules in both the VRT and the ET rules sets...

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!