[Snort-users] not logging portscans

Matt Kettler mkettler at ...4108...
Thu May 23 18:49:02 EDT 2002


Is your snort sensor attached to a network switch? what about a "dual speed 
auto switching hub"?

Snort can only see what goes by the ethernet it's attached to, and network 
switches only send traffic to the machines that need it. (ie: you'll see 
broadcasts, like ARPs from other machines, but no traffic sent to them 
alone). Internally auto switching hubs are more like a 10mbit hub and a 
100mbit hub with a 2 port switch between them, so the 10mbit ports don't 
see traffic exclusively between two 100mbit ports, or vice versa.

You can tinker around a bit using tcpdump to see what's going by your 
ethernet port to see if it's an ethernet level problem, or a snort 
configuration problem.


At 01:47 PM 5/23/2002 +0100, Fage Martin wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello
>Snort doesnt seem to detect any portscanning activity except when
>directly scanning snort
>machine!
>Any ideas?
>         Thanks
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBPOzk5oM7OF/nbs7zEQJnyACfbuucvZZ8WdxKJjSYlX0lZwjhe4MAoPtF
>khS+ePmh0zVGPxBG/3nmFbbE
>=HX1T
>-----END PGP SIGNATURE-----
>
>_______________________________________________________________
>
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list