[Snort-users] Re: snort can't find SYN FLOOD attack?
Crist J. Clark
cjclark at ...960...
Fri Mar 9 00:58:34 EST 2001
On Thu, Mar 08, 2001 at 07:11:35PM -0800, jason lee wrote:
> Thank u, Crist.
> yup,my snort is working properly but SF
> in my snort.conf:
> HOME_NET 0.0.0.0
> preprocessor minfrag: 128
> preprocessor defrag
> preprocessor portscan: $HOME_NET 4 3 /var/log/syslog
> And all *.rules were included in snort.conf.I am sure
> that there is no problem in my configuration. I have
> tried nmap and its scans were picked up by snort in my
> How can i do now?Any help would be greatly
Do you have a 'portscan-ignorehosts' line? You say that nmap port
scans are detected. Have you verified that your SYN scan is actually
reaching the target? If you do a tcpdump on the Snort host, do you see
the SYN scan coming in?
Crist J. Clark cjclark at ...485...
More information about the Snort-users