[Snort-users] nmap scans don't appear in portscan.log
jyates at ...5449...
Mon Apr 1 23:28:09 EST 2002
On Mon, 2002-04-01 at 15:24, Salomon, Charlie wrote:
> I'm a Snort newbie and need some help. I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf file except for the HOME_NET variable. We use a 172.xx.x.0 internal network with a 255.255.252.0 mask. The HOME_NET entry is 172.xx.x.0/22.
> I ran nmap against the Snort box and the scans were properly detected. However, when I ran a scan against nother machines on our network, the scans were not detected. I am running snort as a daemon with the following parameters:
> snort -b -y -A fast -c snort.conf -M wrkstns -D
> I ran snort -vde, and I am seeing packets from other machines.
> All scans are from an internal machine to other internal machines, and on the same subnet.
> All preprocesors pertaining to scans are active as well as the scan.rules.
Unless you have snort hooked up to a monitor port, on switch or
something. Snort can't see the traffic, therefore it can't report bad
traffic. You should probably check with your Network Administrator, and
ask him/her to make a monitor port on your switch. I actually duplicate
all the traffic going to and from my router port on to another port,
which is hooked up to a monitor server. 3com switches call this feature
roving analysis, and I can't remember what cisco calls it.
If you need any help email me.
More information about the Snort-users