[Snort-users] Re: snort can't find SYN FLOOD attack?

Crist J. Clark cjclark at ...960...
Fri Mar 9 00:58:34 EST 2001


On Thu, Mar 08, 2001 at 07:11:35PM -0800, jason lee wrote:
> Thank u, Crist.
> 
> yup,my snort is working properly but SF
> attacks...oooh.
> 
> in my snort.conf:
> ......
> HOME_NET 0.0.0.0
> ......
> preprocessor minfrag: 128
> preprocessor defrag
> ......
> preprocessor portscan: $HOME_NET 4 3 /var/log/syslog
> ......
> 
> And all *.rules were included in snort.conf.I am sure
> that there is no problem in my configuration. I have
> tried nmap and its scans were picked up by snort in my
> syslog.
> How can i do now?Any help would be greatly
> appreciated.

Do you have a 'portscan-ignorehosts' line? You say that nmap port
scans are detected. Have you verified that your SYN scan is actually
reaching the target? If you do a tcpdump on the Snort host, do you see
the SYN scan coming in?
-- 
Crist J. Clark                           cjclark at ...485...




More information about the Snort-users mailing list