Snort mailing list archives
Re: how to disable spp_porscan?
From: robe () alfa21 com (Roberto Suarez Soto)
Date: Wed, 19 Dec 2001 10:48:30 +0100
On Dec/18, Phil Wood wrote:
There is no way that the portscan preprocessor will run if you have commented it out of your config file. Since you have shown us a config file with it commented out. Run snort without the quiet option, and send us the command line you use to start snort as well as the configuration file.
I've already done so in another message addressed to Chris Green, please see it. I'll try the "quiet" thing just as I finish this message :-)
Also, depending on who designed you configuration, you might have "include" files in your "conf" file which negate anything you think you might have done to turn off portscan.
Well, I have indeed a include, which includes the rest of the .rules files in /etc/snort. But I think that the alerts that I reported are not from those files. At least, it shouldn't :-)
And finally, the next time you request help. Please include information like. Operating system you are running, version of that operating system, where you obtained snort, who compiled it, who configured it, what version are you running, what snort command line options you use, the contents of your configuration file, and in addition anything else that might help someone figure out what the hell you are doing.
Ooops. My humble excuses O:-) I was quite pissed off for not knowing what the hell was happening, and surely that reflected in my messages. I'm sorry, what more can I say :-) Well, better late than never. As I said to Chris, I built snort myself, using the Debian templates for 1.8p1 version, and changing a few things (basically, just removing mysql support and adding postgresql support instead). The sources were downloaded from snort's home page. Anyway, as for the rest of the information: - OS is Debian, more or less experimental (i.e., many packages from "sid" version) - Kernel is Linux 2.4.14, with patches for aacraid cards - Version of packages related to snort: - libc6 2.2.4 (debian package 2.2.4-6) - libpcap 0.6.2 (debian package 0.6.2-2) - Rules are from day 2001-12-14 (downloaded from snort's home page) - The box is a firewall with 3 ethernet cards, and snort is listening on eth0. This interface has 9 IPs, for masquerading and port-forwarding of several servers behind it. It also works as IPSec gateway. IPSec is working in the same eth0. I don't know if I should give any more info. If so, just ask :-) -- Roberto Suarez Soto Alfa21 Outsourcing robe () alfa21 com http://www.alfa21.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- Re: how to disable spp_porscan? Chris Green (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- Re: how to disable spp_porscan? Phil Wood (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 19)
- Re: how to disable spp_porscan? Phil Wood (Dec 19)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 20)
- Re: how to disable spp_porscan? Phil Wood (Dec 20)
- Re: how to disable spp_porscan? Phil Wood (Dec 20)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 21)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- Re: how to disable spp_porscan? Chris Green (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- <Possible follow-ups>
- RE: how to disable spp_porscan? Steve Halligan (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- Re: how to disable spp_porscan? Chris Green (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)