Snort mailing list archives
Re: port scan detection
From: Soniya Balram <sonia_balram () yahoo com>
Date: Thu, 23 Oct 2008 23:51:42 -0700 (PDT)
Hi all, sfportscan preprocessor is generating alerts now. I added logfile { portscan.log } to the preprocessor config in snort.conf. Is there some documentation on how sfportscan is implemented? Regards Soniya --- On Mon, 20/10/08, Soniya Balram <sonia_balram () yahoo com> wrote:
From: Soniya Balram <sonia_balram () yahoo com> Subject: [Snort-users] port scan detection To: snort-users () lists sourceforge net Date: Monday, 20 October, 2008, 10:13 AM Hi all, I use Snort version 2.8.3.1 on a windows xp machine. I want to detect port scans. I have enabled sfportscan preprocessor. The config is: preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ scan_type { all } \ sense_level { high } \ detect_ack_scans I have also enabled stream4 preprocessor. The config is: preprocessor stream4: detect_scans I have not enabled any rules. I use nmap to generate different types of scans but no alerts are generated. To test snort, I wrote a rule: alert tcp any any -> any any (msg:"got an tcp packet"; sid:2000000; rev:1;) This results in alerts. Can anyone help. Regards Soniya Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users # " This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorised disclosure, distribution or copying hereof is prohibited." " Ce courriel et les documents qui y sont attaches peuvent contenir des informations confidentielles. Si vous n'etes pas le destinataire escompte, merci d'en informer l'expediteur immediatement et de detruire ce courriel ainsi que tous les documents attaches de votre systeme informatique. Toute divulgation, distribution ou copie du present courriel et des documents attaches sans autorisation prealable de son emetteur est interdite." #
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- port scan detection Soniya Balram (Oct 19)
- <Possible follow-ups>
- Re: port scan detection Soniya Balram (Oct 23)