[Snort-users] re: Why Gibson scans don't register

Don Heffernan donheff at ...88...
Sun Jul 30 11:23:58 EDT 2000

Thanks Ed.  It set the preprocessor time setting up (way up) and caught
the port scans.

There are a lot of NetBios alerts in the rule set, but I don't register
grc's attempts to access port 139 when I use it's "shields test."  I
would guess that it does a quick single port scan to see if 139 is open
before it does any further tests.  It wouldn't see 139 in my case and
would not proceed to run the more detailed tests that would trigger
specific NetBios alerts.



> From: Ed Padin
>   To: snort-users at lists.sourceforge.net
>   Subject: RE: [Snort-users] Why Gibson scans don't register?
>   Date: Sun, 30 Jul 2000 03:05:10 -0400
>   charset="iso-8859-1"
>   The site you're talking about is http://grc.com
>   He does a scan of known/common services/ports only and I think he executes
>   his scan kinda slow. It may fall within the threshold set in the scan
>   preprocessor assuming you're using it. If you're not using it, then that
>   would also explain the lack of alerts. If you tested the shields you'd get a
>   NetBIOS probe. I think there's a rule for that but it would trigger like
>   crazy anyway. NetBIOS probes are for windows like.... farts are for people.
>   >-----Original Message-----
>   >From: Don Heffernan [mailto:donheff at ...88...]
>   >Sent: Saturday, July 29, 2000 9:54 AM
>   >To: snort-users at lists.sourceforge.net
>   >Subject: [Snort-users] Why Gibson scans don't register?
>   >
>   >
>   >I have been running Snort for a few days and it registers a
>   >fair nyumber
>   >of port scans each day, as well as a variety of specific attemts (e.g,
>   >wingate).  I went to Gibson's Shields up site and had it run its port
>   >scan and it's probes and didn't get an alert from Snort.  Any thoughts
>   >on why that would be so?
>   >
>   >--
>   >Don Heffernan
>   >heffernan.cais.net

More information about the Snort-users mailing list