Snort mailing list archives
Re: Snort 2.6.1 false negative - not detecting port scans
From: Seth <sethsec () gmail com>
Date: Wed, 18 Jun 2008 16:08:03 -0400
Where is the scan being run from? Same subnet? Behind a firewall? You mention you are doing the scan against the sensors. Are you scanning the sensor MGMT IP address or the network that the sensor is protecting? Regards, Seth On Fri, Jun 13, 2008 at 5:59 AM, Hari Sekhon <hpsekhon () googlemail com> wrote:
Hi, I have a couple of snort sensors with the sfportscan preprocessor enabled and set to sensitivity high with no ignored scanners and have then proceeded to test this using nmap to do the most standard syn and connect scans directly against those sensors and snort has failed on both sensors to detect this. I am outputting to both syslog and base via barnyard and no portscan alerts have been logged, nor has the unified alert file grown at all, so snort is definitely not logging this. I am sure snort was logging this before the other day when I was testing this. Any ideas why snort is failing such a basic test? -h -- Hari Sekhon ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.6.1 false negative - not detecting port scans Hari Sekhon (Jun 13)
- Re: Snort 2.6.1 false negative - not detecting port scans Seth (Jun 18)
- Re: Snort 2.6.1 false negative - not detecting port scans Hari Sekhon (Jun 19)
- Re: Snort 2.6.1 false negative - not detecting port scans Seth (Jun 18)