[Snort-users] Snort won't detect any portscan activity

Alen Salamun alen.salamun at ...4998...
Sun Feb 17 03:36:02 EST 2002


Hello!

I have been trying to get snort up and running on my Mandrake 8.1.
Everything works OK, but snort won't detect anykind of portscans
(nmap -sS, -sT) at all. Portscans go through I don't block them with
iptables. I tried some other rules and they worked.

I have mandrake 8.1 and Snort 1.8.3 precompiled from site and even
recompiled it myself. Configuration:

var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 3 5 /var/log/snort/portscan.log
and all the normal includes....

Where Do I lie wrong?

Bye, Alen





More information about the Snort-users mailing list