[Snort-users] Port scanning

Subba Rao subba9 at ...530...
Tue Sep 18 02:47:02 EDT 2001


On  0, Erek Adams <erek at ...577...> wrote:
> On Mon, 17 Sep 2001, Subba Rao wrote:
> 
> [...snip...]
> 
> > Now, I dial to the Internet using another system and run a portscan on the
> > Snort box. All I am seeing is some ICMP "Echo Reply" logged into the "alerts"
> > file. There is nothing logged into "portscan.log" while the ipchains is logging
> > each port connect attempt into syslog.
> 
> [...snip...]
> 
> Actually, a little research gives this answer:
> 
> http://snort.sourcefire.com/docs/faq.html#4.3
> 
> :)  Guess I was right!
> 

Thanks for the pointer. I thought Snort uses libpcap for capturing the packets.
On my system (with iptables), I do log all the Internet traffic using 'tcpdump'.
Obviously 'tcpdump' is capturing packets before iptables see them.

-- 

Subba Rao
subba9 at ...530...                     http://members.home.net/subba9/
OpenPGP/GPG public key ID CCB7344E

 => Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com




More information about the Snort-users mailing list