Snort mailing list archives
Re: preprocessor sfportscan does not generate alerts
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Thu, 10 Jul 2014 12:12:54 -0400
Hello. I have the same questions that johnny does but I can't find a good answer. How do you see portscan alerts? If I specify a log file in the sfportscan preprocessor config, it will record the portscan data (since I am testing with a legitimate port scan and this means the scan is being detected) there but I don't see an alert generated anywhere else (alert file or unified2 file). If I don't configure a log file, where does the alert/data get logged? I don't see it in the alerts file or in the unified2 alerts file. Do special rules need to be enabled as well to get the sfportscan to actually generate a normal snort-style alert? What am I doing wrongs? Thanks! Cheers, Lord C. On Mon, Feb 25, 2013 at 9:55 AM, johnny.venter <johnny.venter () zoho com> wrote:
I need clarification on preprocessors and rules. In the example, below, the preprocessor for sfportscan is "enabled" and it writes an output log to a certain directory when I detects a portscan. But Snort will *NOT* generate an event unless there is a rule enabled for a portscan??? I have a similar situation where sfportscan is enabled and writes to a log directory. It successfully detects various Nmap/Scapy port scans. But Snort never generates an alert in the u2 file. Is there way to generate an alert without creating specific port scan rule? If not, this would seem redundant because sfportscan already successfully detects portscans. Thanks.
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: preprocessor sfportscan does not generate alerts L0rd Ch0de1m0rt (Jul 10)
- Re: preprocessor sfportscan does not generate alerts L0rd Ch0de1m0rt (Jul 11)