[Snort-users] UDP Portscans Are Not Capture

Erek Adams erek at ...577...
Mon Sep 30 07:25:09 EDT 2002


On Mon, 30 Sep 2002, Grigoris Vidakis wrote:

> I run snort Version 1.8.3 (Build 88) in linux 7.2 (2.4.17) which alert me
> for the udp portscans correctly (portscan.log, snort.fast,snort.full)  BUT
> when i run snort Version 1.8.7 (Build 128) in linux 7.3 (2.4.18-3) with the
> same snort.conf and a snort binary file as the input (-r), captured from
> 1.8.3, which had alerted me about udp portscans), snort 1.8.7 does not alert
> the udp portscans!!!

There are a couple of things that you need to consider.  You are having
trouble with a pcap file on one version and not the other...  But, you also
changed versions of OS, Kernel, and most importantly libpcap.

spp_portscan doesn't send packets into the log or alert facility.  It just
sends an alert when it spots a scan.  Unless you're logging every packet to
that box in pcap file, you won't have the packets that triggered the portscan.
Unless that packet also triggered a rule--That would trigger the rule and log
the packet.

And a couple of helpful suggestions below:

> Below is the snort.conf which i use for the 2 sensors.
>
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var HTTP_PORTS any

Don't use 'any'.  Set your HOME_NET to 10.10.10.0/24 (or whatever) and then
EXTERNAL_NET to !$HOME_NET.  That will help on a lot of false postives.

> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> output log_tcpdump: snort.log
> output alert_full: snort_full
> output alert_fast: snort_fast

Only log one type of alerts.  Don't output to both full and fast.  The only
difference is the amount of info.  If you are using full then you get all the
same info as fast, just with a little bit extra.

> does anyone have an idea about what is wrong??

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list