[Snort-users] Snort won't detect any portscan activity

Matt Kettler mkettler at ...4108...
Mon Feb 18 08:57:06 EST 2002


First, I'd try setting HOME_NET to any as a quick test.

I'm guessing (wildly) that you have snort running on a Linux box that is 
doing address translation/masquerading/whatever for a small network. If you 
have snort listening on your outside interface HOME_NET should be the IP of 
that interface, not the address translated ones, since the 192.168.*.* 
addresses will never appear on that interface.


Also note, you will have to generate attacks from the outside world heading 
in to your network, not from the inside heading out. Snort only monitors 
for portscans being run against HOME_NET (ie: any portscans being run from 
HOME_NET will generaly not be detected).

Please include some more details about your setup and the scans you are 
running if this isn't helpful to you.


At 12:35 PM 2/17/2002 +0100, Alen Salamun wrote:
>Hello!
>
>I have been trying to get snort up and running on my Mandrake 8.1.
>Everything works OK, but snort won't detect anykind of portscans
>(nmap -sS, -sT) at all. Portscans go through I don't block them with
>iptables. I tried some other rules and they worked.
>
>I have mandrake 8.1 and Snort 1.8.3 precompiled from site and even
>recompiled it myself. Configuration:
>
>var HOME_NET 192.168.1.0/24
>var EXTERNAL_NET any
>var SMTP $HOME_NET
>var HTTP_SERVERS $HOME_NET
>var SQL_SERVERS $HOME_NET
>var DNS_SERVERS $HOME_NET
>
>preprocessor frag2
>preprocessor stream4: detect_scans
>preprocessor stream4_reassemble
>preprocessor http_decode: 80 -unicode -cginull
>preprocessor rpc_decode: 111
>preprocessor bo: -nobrute
>preprocessor telnet_decode
>preprocessor portscan: $HOME_NET 3 5 /var/log/snort/portscan.log
>and all the normal includes....
>
>Where Do I lie wrong?
>
>Bye, Alen





More information about the Snort-users mailing list