Snort mailing list archives
setting up portscan
From: "Bouma, Wobbe" <wobbe.bouma () nl imptob com>
Date: Thu, 27 Jan 2011 16:27:14 +0100
Hi, I'm trying to get sfportscan working but so far I've failed. And slowly my level of frustration is growing. I've done an Ubuntu v10.04.1 installation using the manual on the snort.org website. I've added B.A.S.E to look at the alerts. I've added the following line to snort.conf preprocessor sfportscan: proto { all } scan_type { all } sense_level { medium} memcap {1000000 } Snort is connected with eth1 to a mirror port on the switch that mirrors all data that goes onto the WAN. Now I'm logging in to a server in another WAN location and start a port scan to one of my servers. Unfortunately I don't see any alerts in B.A.S.E. The only other thing I have changed so far is the HOME_NET variable. I've set this to only monitor the servers IP range. If I didn't do that Snort would log a million ICPM alerts in a day. Almost all of them from the Cisco routers. So what am I missing here? Kind regards, WB __________________________________________________________ Imperial Tobacco Limited and Group Companies www.imperial-tobacco.com This email is confidential and may contain information that is privileged and exempt from disclosure by law. If you have received it in error, please contact the sender immediately by return email and then delete it from your system; you should not copy it or disclose its contents to anyone. Imperial Tobacco Limited and Group Companies reserve the right to monitor all email communications through their networks. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. Anyone who communicates with us by email is taken to accept these risks. __________________________________________________________
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- setting up portscan Bouma, Wobbe (Jan 27)