Re: nmap scans don't appear in portscan.log

[Jason Yates <jyates () dataservice org>]

On Mon, 2002-04-01 at 15:24, Salomon, Charlie wrote:
> I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf 
> file except for the HOME_NET variable.  We use a 172.xx.x.0 internal network with a 255.255.252.0 mask.  The HOME_NET 
> entry is 172.xx.x.0/22.  
>
> I ran nmap against the Snort box and the scans were properly detected.  However, when I ran a scan against nother 
> machines on our network, the scans were not detected.  I am running snort as a daemon with the following parameters:
>
> snort -b -y -A fast -c snort.conf -M wrkstns -D
>
> I ran snort -vde, and I am seeing packets from other machines.
> All scans are from an internal machine to other internal machines, and on the same subnet.  
> All preprocesors pertaining to scans are active as well as the scan.rules.

Unless you have snort hooked up to a monitor port, on switch or
something.  Snort can't see the traffic, therefore it can't report bad
traffic.  You should probably check with your Network Administrator, and
ask him/her to make a monitor port on your switch.  I actually duplicate
all the traffic going to and from my router port on to another port,
which is hooked up to a monitor server.  3com switches call this feature
roving analysis, and I can't remember what cisco calls it.

If you need any help email me.

-Jason


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users