Snort mailing list archives
nmap scans don't appear in portscan.log
From: "Salomon, Charlie" <csalomon () Elemica com>
Date: Mon, 1 Apr 2002 15:24:35 -0500
I'm a Snort newbie and need some help. I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf file except for the HOME_NET variable. We use a 172.xx.x.0 internal network with a 255.255.252.0 mask. The HOME_NET entry is 172.xx.x.0/22. I ran nmap against the Snort box and the scans were properly detected. However, when I ran a scan against nother machines on our network, the scans were not detected. I am running snort as a daemon with the following parameters: snort -b -y -A fast -c snort.conf -M wrkstns -D I ran snort -vde, and I am seeing packets from other machines. All scans are from an internal machine to other internal machines, and on the same subnet. All preprocesors pertaining to scans are active as well as the scan.rules. I reviewed the scan.rules file and all the rules contain entries such as "alert tcp $EXTERNAL_NET any -> $HOME_NET any yadda, yadda, yadda". I thought that Snort might not detect a scan if it came from the same subnet. I then added (copied actually) the rules pertaining to nmap and changed the $EXTERNAL_NET to $HOME_NET, so the new rules read: "alert tcp $HOME_NET any -> $HOME_NET any yadda, yadda, yadda" I ran nmap again and still no entry in the portscan.log. If someone could point me in the right direction, I'd greatly appreciate it.
Charlie Salomon
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- nmap scans don't appear in portscan.log Salomon, Charlie (Apr 01)
- Re: nmap scans don't appear in portscan.log Erek Adams (Apr 01)
- <Possible follow-ups>
- Re: nmap scans don't appear in portscan.log Jason Yates (Apr 01)
- RE: nmap scans don't appear in portscan.log Estes, Matt: CPR / FCBS (Apr 02)
- RE: nmap scans don't appear in portscan.log Fallon, Benjamin (Apr 02)