[Snort-sigs] Portscans.... How to?

Pedro Jorge Barradas pedro.barradas at ...2571...
Tue Jun 22 07:31:23 EDT 2004


I've been doing some tests with the snort's Portscan options, but there
seems to be some problem.
I don't seem to get any alarms pertaining to scans.

I've done some NMAP scans (from outside machines), simple ones like
"nmap -sS xx.xx.xx.xx -P0", and the only thing I get is :

-SCAN Proxy Port 8080 attempt
-SNMP AgentX/tcp request
-SCAN Squid Proxy attempt

Shouldn't there be some other alerts popping up? 

These are the configs I've tryed:

The first try was this:

	preprocessor flow: stats_interval 0 hash 2
	preprocessor flow-portscan: \
	server-watchnet $HOME_NET \
	unique-memcap 5000000 unique-rows 50000 \
	server-rows 65535 \
	server-learning-time 3600 \
	server-scanner-limit 50 \
	scoreboard-rows-scanner 30000 \
	alert-mode once \
	output-mode msg \
	tcp-penalties on

Nothing came back...

Then I've tryed this:

	preprocessor stream4:  detect_scans, disable_evasion_alerts

And nothing....

Also this:

	preprocessor conversation: timeout 300

	preprocessor portscan2: target_limit 5, port_limit 15, timeout

And nothing again....

Can anyone help me?


Pedro Jorge B. Barradas
Email : pedro.barradas at ...2571... 
Ext: 117206, Directo: 217 612 206
Av. Miguel Bombarda, 4 - piso 3
1049-058 LISBOA
-------------- next part --------------
*** AVISO ***
Esta mensagem ? confidencial e dirigida apenas ao destinat?rio. Se a recebeu por erro solicitamos que o comunique ao remetente e a elimine assim como qualquer documento anexo. N?o h? renuncia ? confidencialidade nem a nenhum privil?gio devido a erro de transmiss?o.
Qualquer opini?o expressa nesta mensagem pertence unicamente ao autor remetente, e n?o representa necessariamente a opini?o do Grupo Totta, a n?o ser que expressamente se diga que o remetente est? autorizado para o efectuar.
This message is confidential and intended exclusively for the addressee. If you received this message by mistake please inform the sender and delete the message and attachments. No confidentiality nor any privilege regarding the information is waived or lost by any mistransmission.
Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of Grupo Totta, unless otherwise specifically stated and the sender is authorized to do so.

More information about the Snort-sigs mailing list