[Snort-users] Port scanning

Erek Adams erek at ...577...
Mon Sep 17 07:05:04 EDT 2001

On Mon, 17 Sep 2001, Subba Rao wrote:

> I am running Snort with the following command line options.
> ./bin/snort -l ./logs -c ./etc/snort.conf -o -b -A fast -z est -i eth0 -p
> -t /usr/snort -g snort -u snort

Normal enough.

> In "snort.conf" I have the following configuration,
> preprocessor stream4: detect_scans
> preprocessor portscan: $HOME_NET 4 3 portscan.log


> Now, I dial to the Internet using another system and run a portscan on the
> Snort box. All I am seeing is some ICMP "Echo Reply" logged into the
> "alerts" file. There is nothing logged into "portscan.log" while the
> ipchains is logging each port connect attempt into syslog.

Not so normal.  :)

> What do I need to modify in the configuration file or on the command line
> options to log the port scans?

I'm assuming eth0 is a normal ethernet interface.  Nothing odd like PPoE and
the like...  It would seem that IPchains is 'intercepting' and 'blocking' the
packets before they are able to be processed.  This has been bounced around on
the list quite a bit, so I'd suggest searching the archives before taking my
words on it! :)

Good Luck!

Erek Adams

More information about the Snort-users mailing list