Re: UDP Portscans Are Not Capture

[Erek Adams <erek () theadamsfamily net>]

On Mon, 30 Sep 2002, Grigoris Vidakis wrote:

> i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
> capture and aler me for upd portscans
> BUT in the same box which the same kernel and libpcap the snort Version
> 1.8.7 (Build 128) does not capture them..

Actually, it's not anything to do with snort.  It's strictly the way that the
portscan preprocessor works.  The spp_portscan generates one alert when a scan
starts, one alert during the scan, and one alert at the end of the scan.
These alerts don't have any packets associated with them.  They will _never_
be in the pcap file.

The _only_ way snort will log a packet that was part of a portscan is if the
packet matches a rule (SYN-FIN Scan for example).  If it matches a rule, then
a copy of the packet will be saved.  If there is no rule, there won't be a
matching packet log.

I'm not sure if I'm stating it better here or in the other second paragraph of
the previous email.  Read both and see if it helps!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users