[Snort-users] Scan Proxy

Togan Muftuoglu toganm at ...603...
Tue Apr 24 03:04:56 EDT 2001


On Tue, Apr 24, 2001 at 02:45:21AM -0400, Brian Caswell wrote:
> Did that have portscans setup correctly?  You might want to check the
> portscan settings, it might be too tightly wound for your uses.

I assume your first question regarding portscans is for 1.8. Please find it below this is from my current snort.conf

var HOME_NET any

var EXTERNAL_NET any

var SMTP $HOME_NET 

# Set up your web servers, or simply configure them 
# to HOME_NET
#var HTTP_SERVERS $HOME_NET
 
# Define the addresses of DNS servers and other hosts 
# if you want to ignore portscan false alarms from them...

var DNS_SERVERS $HOME_NET


preprocessor minfrag: 128


preprocessor defrag


# use one or the other, not both!
#preprocessor stream: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111 32771 

preprocessor bo: -nobrute

preprocessor telnet_decode


preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS_SERVERS

# Use one or more syslog facilities as arguments
#
 output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config

the classification.config is the default that comes with the source

> in classificaation.config of course.  I'm writing a README.priority,
> but for now the documentation in classification.config should be
> enough to start.

ehm looks like I need more coffee Sorry

> Correct.  SF has been notified of the change, but they are massively
> busy over there.  Too many exploits, too many vulnerabilities, too
> little time.  I've been told 'soon'.  Give em a bit of time.  1.8
> hasn't been released yet, so they have a short bit of time :)

Relief on that point Thanks


-- 
Togan Muftuoglu





More information about the Snort-users mailing list