[Snort-users] UDP Portscans Are Not Capture

Grigoris Vidakis gvidakis at ...7022...
Tue Oct 1 01:38:02 EDT 2002

hi all
gammon 's has a point!
  In order to be analyzed the udp portscans from snort, we must change the
line scansToWatch = ~(sRESERVEDBITS | sUDP) in the file spp_portscan.c
to, scansToWatch = ~(sRESERVEDBITS).
  So snort will look for all packets, except those which have the
reservedbits set. Previously snort was looking for all packets except the
previously AND THE UDP.

Dear Erek

i used the wildcard any in order to hide my network ip from the snort
list.Of course i use your suggestions

>Don't use 'any'.  Set your HOME_NET to > (or whatever) and
>EXTERNAL_NET to !$HOME_NET.  That will help >on a lot of false postives.

  My team ISL, is member of the honeynet alliance www.honeynet.org. So we
must get all the output which
snort provides(in any format), which is the input in our research! ( we use
and the above configuration in order to capture everything)
  log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session:
  log udp any any <> $HOME_NET any (msg: "Unmatched UDP";session:
  log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session:

>Only log one type of alerts.  Don't output to both full and >fast.  The
>difference is the amount of info.  If you are using full then >you get all
>same info as fast, just with a little bit extra.

Dear Jim
  The outtput of snort 1.8.3 is not generated from the -b option.

> Or, is the case that the output of snort 1.8.3 (via -b) is becoming
>the input to snort 1.8.7 (via -r)?  If this is the case, then Erek
>correctly noted that the binary (libpcap format) output of 1.8.3 may
>not be as complete as you think.  Specifically, the packets that
>spp_portscan writes to its portscan.log file will only appear in that
>file and will not appear in in binary output file.

Best Regards,

More information about the Snort-users mailing list