[Snort-users] not logging portscans

Matt Kettler mkettler at ...4108...
Thu May 23 18:49:02 EDT 2002

Is your snort sensor attached to a network switch? what about a "dual speed 
auto switching hub"?

Snort can only see what goes by the ethernet it's attached to, and network 
switches only send traffic to the machines that need it. (ie: you'll see 
broadcasts, like ARPs from other machines, but no traffic sent to them 
alone). Internally auto switching hubs are more like a 10mbit hub and a 
100mbit hub with a 2 port switch between them, so the 10mbit ports don't 
see traffic exclusively between two 100mbit ports, or vice versa.

You can tinker around a bit using tcpdump to see what's going by your 
ethernet port to see if it's an ethernet level problem, or a snort 
configuration problem.

At 01:47 PM 5/23/2002 +0100, Fage Martin wrote:
>Hash: SHA1
>Snort doesnt seem to detect any portscanning activity except when
>directly scanning snort
>Any ideas?
>         Thanks
>Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list