nmap scans don't appear in portscan.log

["Salomon, Charlie" <csalomon () Elemica com>]

I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf 
file except for the HOME_NET variable.  We use a 172.xx.x.0 internal network with a 255.255.252.0 mask.  The HOME_NET 
entry is 172.xx.x.0/22.  

I ran nmap against the Snort box and the scans were properly detected.  However, when I ran a scan against nother 
machines on our network, the scans were not detected.  I am running snort as a daemon with the following parameters:

snort -b -y -A fast -c snort.conf -M wrkstns -D

I ran snort -vde, and I am seeing packets from other machines.
All scans are from an internal machine to other internal machines, and on the same subnet.  
All preprocesors pertaining to scans are active as well as the scan.rules.

I reviewed the scan.rules file and all the rules contain entries such as "alert tcp $EXTERNAL_NET any -> $HOME_NET any 
yadda, yadda, yadda". I thought that Snort might not detect a scan if it came from the same subnet.   I then added 
(copied actually) the rules pertaining to nmap and changed the $EXTERNAL_NET to $HOME_NET, so the new rules read:

"alert tcp $HOME_NET any -> $HOME_NET any yadda, yadda, yadda"  

I ran nmap again and still no entry in the portscan.log.  

If someone could point me in the right direction, I'd greatly appreciate it.  


> Charlie Salomon

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users