[Snort-users] Portscan.log

John Berkers berjo at ...827...
Sat Sep 1 06:00:10 EDT 2001

I would suggest commenting out some of your preprocessors for a start.

frag2 is a new replacement for defrag.  Use only one.

stream2 has been superceded by stream4 & stream4_reassemble.  Use only
stream2 or stream4 & stream4_reassemble.  I suggest not using stream2 since
it has some memory leaks which have been resolved in stream4.

http_decode and unidecode do the same job (more or less).  Use only one of

And finally, just to clarify, you aren't using a switch or dual-speed hub
are you?  Switches and Dual-speed hubs don't copy all traffic to all ports.

Make the changes above and see how you go.

John Berkers                                       ICQ: 112912
Network Services                            Hansen Corporation
john.berkers at ...3164...               berjo at ...827...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
ids-lists at ...3253...
Sent: Friday, 31 August 2001 3:19
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Portscan.log

Sorry for the newbie question but I am having strange results with my

If I port scan a machine on the same net as my snort box  sometimes the
portscan.log file is populated with the details of the scan but most of the
time it fails to register the portscan.

I am running 1.8.1 with this command line /usr/local/bin/snort -D -c

with the following snort.conf:

preprocessor defrag
preprocessor frag2
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor unidecode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
preprocessor arpspoof
output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
include policy.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list