[Snort-users] nmap scans don't appear in portscan.log

Jason Yates jyates at ...5449...
Mon Apr 1 23:28:09 EST 2002

On Mon, 2002-04-01 at 15:24, Salomon, Charlie wrote:
> I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on Linux (Slackware 7.1) with the default snort.conf file except for the HOME_NET variable.  We use a 172.xx.x.0 internal network with a mask.  The HOME_NET entry is 172.xx.x.0/22.  
> I ran nmap against the Snort box and the scans were properly detected.  However, when I ran a scan against nother machines on our network, the scans were not detected.  I am running snort as a daemon with the following parameters:
> snort -b -y -A fast -c snort.conf -M wrkstns -D
> I ran snort -vde, and I am seeing packets from other machines.
> All scans are from an internal machine to other internal machines, and on the same subnet.  
> All preprocesors pertaining to scans are active as well as the scan.rules.

Unless you have snort hooked up to a monitor port, on switch or
something.  Snort can't see the traffic, therefore it can't report bad
traffic.  You should probably check with your Network Administrator, and
ask him/her to make a monitor port on your switch.  I actually duplicate
all the traffic going to and from my router port on to another port,
which is hooked up to a monitor server.  3com switches call this feature
roving analysis, and I can't remember what cisco calls it.

If you need any help email me.


More information about the Snort-users mailing list