Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preprocessor sfportscan does not generate alerts

From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Thu, 10 Jul 2014 12:12:54 -0400
Hello.

I have the same questions that johnny does but I can't find a good answer.
How do you see portscan alerts?  If I specify a log file in the sfportscan
preprocessor config, it will record the portscan data (since I am testing
with a legitimate port scan and this means the scan is being detected)
there but I don't see an alert generated anywhere else (alert file or
unified2 file).  If I don't configure a log file, where does the alert/data
get logged?  I don't see it in the alerts file or in the unified2 alerts
file.

Do special rules need to be enabled as well to get the sfportscan to
actually generate a normal snort-style alert?  What am I doing wrongs?

Thanks!

Cheers,

Lord C.


On Mon, Feb 25, 2013 at 9:55 AM, johnny.venter <johnny.venter () zoho com>
wrote:


I need clarification on preprocessors and rules.  In the example, below,
the preprocessor for sfportscan is "enabled" and it writes an output log to
a certain directory when I detects a portscan.  But Snort will *NOT*
generate an event unless there is a rule enabled for a portscan???

I have a similar situation where sfportscan is enabled and writes to a log
directory.  It successfully detects various Nmap/Scapy port scans.  But
Snort never generates an alert in the u2 file.

Is there way to generate an alert without creating specific port scan
rule?  If not, this would seem redundant because sfportscan already
successfully detects portscans.


Thanks.



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: