[Snort-users] Snort won't detect any portscan activity
mkettler at ...4108...
Mon Feb 18 08:57:06 EST 2002
First, I'd try setting HOME_NET to any as a quick test.
I'm guessing (wildly) that you have snort running on a Linux box that is
doing address translation/masquerading/whatever for a small network. If you
have snort listening on your outside interface HOME_NET should be the IP of
that interface, not the address translated ones, since the 192.168.*.*
addresses will never appear on that interface.
Also note, you will have to generate attacks from the outside world heading
in to your network, not from the inside heading out. Snort only monitors
for portscans being run against HOME_NET (ie: any portscans being run from
HOME_NET will generaly not be detected).
Please include some more details about your setup and the scans you are
running if this isn't helpful to you.
At 12:35 PM 2/17/2002 +0100, Alen Salamun wrote:
>I have been trying to get snort up and running on my Mandrake 8.1.
>Everything works OK, but snort won't detect anykind of portscans
>(nmap -sS, -sT) at all. Portscans go through I don't block them with
>iptables. I tried some other rules and they worked.
>I have mandrake 8.1 and Snort 1.8.3 precompiled from site and even
>recompiled it myself. Configuration:
>var HOME_NET 192.168.1.0/24
>var EXTERNAL_NET any
>var SMTP $HOME_NET
>var HTTP_SERVERS $HOME_NET
>var SQL_SERVERS $HOME_NET
>var DNS_SERVERS $HOME_NET
>preprocessor stream4: detect_scans
>preprocessor http_decode: 80 -unicode -cginull
>preprocessor rpc_decode: 111
>preprocessor bo: -nobrute
>preprocessor portscan: $HOME_NET 3 5 /var/log/snort/portscan.log
>and all the normal includes....
>Where Do I lie wrong?
More information about the Snort-users