[Snort-users] nmap scans don't appear in portscan.log

Salomon, Charlie csalomon at ...5452...
Mon Apr 1 12:37:26 EST 2002

I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf file except for the HOME_NET variable.  We use a 172.xx.x.0 internal network with a mask.  The HOME_NET entry is 172.xx.x.0/22.  

I ran nmap against the Snort box and the scans were properly detected.  However, when I ran a scan against nother machines on our network, the scans were not detected.  I am running snort as a daemon with the following parameters:

snort -b -y -A fast -c snort.conf -M wrkstns -D

I ran snort -vde, and I am seeing packets from other machines.
All scans are from an internal machine to other internal machines, and on the same subnet.  
All preprocesors pertaining to scans are active as well as the scan.rules.

I reviewed the scan.rules file and all the rules contain entries such as "alert tcp $EXTERNAL_NET any -> $HOME_NET any yadda, yadda, yadda". I thought that Snort might not detect a scan if it came from the same subnet.   I then added (copied actually) the rules pertaining to nmap and changed the $EXTERNAL_NET to $HOME_NET, so the new rules read:

"alert tcp $HOME_NET any -> $HOME_NET any yadda, yadda, yadda"  

I ran nmap again and still no entry in the portscan.log.  

If someone could point me in the right direction, I'd greatly appreciate it.  

> Charlie Salomon

More information about the Snort-users mailing list