[Snort-users] UDP Portscans Are Not Capture

Grigoris Vidakis gvidakis at ...7022...
Mon Sep 30 06:52:03 EDT 2002


Hi!
I run snort Version 1.8.3 (Build 88) in linux 7.2 (2.4.17) which alert me for the udp portscans correctly (portscan.log, snort.fast,snort.full) 
BUT when  i run snort Version 1.8.7 (Build 128) in linux 7.3 (2.4.18-3) with the same snort.conf and a snort binary file as the input (-r), captured from 1.8.3, which had  alerted me about udp portscans),  snort 1.8.7 does not alert the udp portscans!!!

Below is the snort.conf which i use for the 2 sensors.

var HOME_NET any
var EXTERNAL_NET any
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var HTTP_PORTS any
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
output log_tcpdump: snort.log
output alert_full: snort_full
output alert_fast: snort_fast

does anyone have an idea about what is wrong??

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020930/de9c9b42/attachment.html>


More information about the Snort-users mailing list