[Snort-users] Snort won't log
fygrave at ...121...
Sat Sep 23 21:45:42 EDT 2000
~ :var HOME_NET 18.104.22.168/32
~ :The IP addresses are correct. Snort *is not* sitting on the IP masqing box.
~ :It's on a FBSD box that is being masqed. I am using the command:
~ :snort -D -c /usr/local/share/snort/snort.kevin
~ :to load Snort. I noticed that when someone port scanned me, snort -v wasn't
~ :showing any of the portscan packets (I grepped for the person's IP). However,
~ :when I port scanned from inside the network, it picked up the port scan. It
~ :gave a false positive (it said a IIS exploit, not a port scan), but we'll figure
That sounds funny, IIS portscan should never match portscan traffic
(until your weren't sending null packets but some packets which would
trigger this rule :)). Anyway, you can play with ajusting
thershold(sp?) of portscan plugin to see if you can get it to the level
which wouldn't generate much noise for you, but still would pick up most
of the portscans. (There's no way even theoretically to pick up all
portscans.. if I am scanning you with one packet/day there's no way to
figure out whether it's a legimate traffic or just some erronous packet,
or a packet from machine, which eventually went offline).
More information about the Snort-users