[Snort-users] Snort and preprocess

Martin Roesch roesch at ...421...
Mon Oct 2 14:55:25 EDT 2000

"Aaron S. Carmichael" wrote:
> Running snort and have a question about the portscan preprocess.
> Why does snot not log data for an ip that a portscan was initiated on other
> then the portscan info in snort_portscan.log? Is there a way to increase the
> amount of data that is logged in that file? Is there a way to log all the
> packets that are related to that IP as with all other logs that snort
> generates?

Well, it's not quite that simple since you need to see X packets over Y
timeframe before it's declared a portscan, and so Snort would have to record
all the packets that come in for some period into some sort of holding area
and then scan that packet list for packets of interest to record all the
packets in a port scan, and even then it might not (probably won't) work all
that well if they slow roll the scan.

> I refuse telnet sessions and other connections to our systems from ip's that
> I do not specifically allow. They are rejected and told to contact us if
> they are indeed supposed to have access... I simply use hosts.allow and
> .deny files to delegate this and it works well.. Most times someone only
> need to try once and sees the message and bails, but you get stupid script
> kiddies and what not that like to try 40 ip's with the same attack and each
> time they get a note back, I get it logged both from the refusal by telnet
> and by snort. Works well but I would still like to log the information that
> each atempt carries with it... Maby I can't if I refuse the sessions?

You can fire an alert/log on a flex resp packet if you want, that's no
problem.  Are you refusing the connections with something else?

> The other question is how to deal with portscan and adjusting it so that it
> may be able to recognize a DNS qwery as NOT being a portscan. Almost all the
> portscans that I get are DNS servers looking up domains that we handle. Has
> anyone else noticed this or found a soloution?

Yeah, DNS smarts is something that should be added to the portscan detector
pretty soon, the thing is awefully promiscuous by default...


Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list