berjo at ...827...
Sat Sep 1 06:00:10 EDT 2001
I would suggest commenting out some of your preprocessors for a start.
frag2 is a new replacement for defrag. Use only one.
stream2 has been superceded by stream4 & stream4_reassemble. Use only
stream2 or stream4 & stream4_reassemble. I suggest not using stream2 since
it has some memory leaks which have been resolved in stream4.
http_decode and unidecode do the same job (more or less). Use only one of
And finally, just to clarify, you aren't using a switch or dual-speed hub
are you? Switches and Dual-speed hubs don't copy all traffic to all ports.
Make the changes above and see how you go.
John Berkers ICQ: 112912
Network Services Hansen Corporation
john.berkers at ...3164... berjo at ...827...
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
ids-lists at ...3253...
Sent: Friday, 31 August 2001 3:19
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Portscan.log
Sorry for the newbie question but I am having strange results with my
If I port scan a machine on the same net as my snort box sometimes the
portscan.log file is populated with the details of the scan but most of the
time it fails to register the portscan.
I am running 1.8.1 with this command line /usr/local/bin/snort -D -c
with the following snort.conf:
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: detect_scans
preprocessor http_decode: 80 -unicode -cginull
preprocessor unidecode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
output alert_syslog: LOG_AUTH LOG_ALERT
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users