[Snort-users] Snort and preprocess

Aaron S. Carmichael aaron at ...532...
Fri Sep 29 13:37:50 EDT 2000


Running snort and have a question about the portscan preprocess.

Why does snot not log data for an ip that a portscan was initiated on other
then the portscan info in snort_portscan.log? Is there a way to increase the
amount of data that is logged in that file? Is there a way to log all the
packets that are related to that IP as with all other logs that snort
generates?

I refuse telnet sessions and other connections to our systems from ip's that
I do not specifically allow. They are rejected and told to contact us if
they are indeed supposed to have access... I simply use hosts.allow and
.deny files to delegate this and it works well.. Most times someone only
need to try once and sees the message and bails, but you get stupid script
kiddies and what not that like to try 40 ip's with the same attack and each
time they get a note back, I get it logged both from the refusal by telnet
and by snort. Works well but I would still like to log the information that
each atempt carries with it... Maby I can't if I refuse the sessions?

The other question is how to deal with portscan and adjusting it so that it
may be able to recognize a DNS qwery as NOT being a portscan. Almost all the
portscans that I get are DNS servers looking up domains that we handle. Has
anyone else noticed this or found a soloution?

Thanks in advance

and I too am willing to host the ArachNIDS database should it be needed.


aaron


Aaron S. Carmichael
VP Information Technology
TimeCertain, LLC.
202-244-3243 (voice)
202-244-5694 (fax)
aaron at ...532...
http://www.timecertain.com

----------------------------------------
This message is for the named persons use only.  It may contain
confidential, proprietary or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.  If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender.  You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is
authorized to state them to be the views of any such entity.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: Aaron S. Carmichael (E-mail).vcf
Type: text/x-vcard
Size: 483 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000929/494d3590/attachment.vcf>


More information about the Snort-users mailing list