Snort mailing list archives
Re: Snort won't detect any portscan activity
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 18 Feb 2002 11:58:07 -0500
First, I'd try setting HOME_NET to any as a quick test.I'm guessing (wildly) that you have snort running on a Linux box that is doing address translation/masquerading/whatever for a small network. If you have snort listening on your outside interface HOME_NET should be the IP of that interface, not the address translated ones, since the 192.168.*.* addresses will never appear on that interface.
Also note, you will have to generate attacks from the outside world heading in to your network, not from the inside heading out. Snort only monitors for portscans being run against HOME_NET (ie: any portscans being run from HOME_NET will generaly not be detected).
Please include some more details about your setup and the scans you are running if this isn't helpful to you.
At 12:35 PM 2/17/2002 +0100, Alen Salamun wrote:
Hello! I have been trying to get snort up and running on my Mandrake 8.1. Everything works OK, but snort won't detect anykind of portscans (nmap -sS, -sT) at all. Portscans go through I don't block them with iptables. I tried some other rules and they worked. I have mandrake 8.1 and Snort 1.8.3 precompiled from site and even recompiled it myself. Configuration: var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 3 5 /var/log/snort/portscan.log and all the normal includes.... Where Do I lie wrong? Bye, Alen
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort won't detect any portscan activity Alen Salamun (Feb 17)
- Re: Snort won't detect any portscan activity Matt Kettler (Feb 18)