[Snort-users] UDP Portscans Are Not Capture

Grigoris Vidakis gvidakis at ...7022...
Mon Sep 30 09:00:02 EDT 2002


dear sir
i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
capture and aler me for upd portscans
BUT in the same box which the same kernel and libpcap the snort Version
1.8.7 (Build 128) does not capture them..

I am going crazy!!!
thanks for your time


----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Grigoris Vidakis" <gvidakis at ...7022...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Monday, September 30, 2002 5:24 PM
Subject: Re: [Snort-users] UDP Portscans Are Not Capture


> On Mon, 30 Sep 2002, Grigoris Vidakis wrote:
>
> > I run snort Version 1.8.3 (Build 88) in linux 7.2 (2.4.17) which alert
me
> > for the udp portscans correctly (portscan.log, snort.fast,snort.full)
BUT
> > when i run snort Version 1.8.7 (Build 128) in linux 7.3 (2.4.18-3) with
the
> > same snort.conf and a snort binary file as the input (-r), captured from
> > 1.8.3, which had alerted me about udp portscans), snort 1.8.7 does not
alert
> > the udp portscans!!!
>
> There are a couple of things that you need to consider.  You are having
> trouble with a pcap file on one version and not the other...  But, you
also
> changed versions of OS, Kernel, and most importantly libpcap.
>
> spp_portscan doesn't send packets into the log or alert facility.  It just
> sends an alert when it spots a scan.  Unless you're logging every packet
to
> that box in pcap file, you won't have the packets that triggered the
portscan.
> Unless that packet also triggered a rule--That would trigger the rule and
log
> the packet.
>
> And a couple of helpful suggestions below:
>
> > Below is the snort.conf which i use for the 2 sensors.
> >
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS $HOME_NET
> > var HTTP_PORTS any
>
> Don't use 'any'.  Set your HOME_NET to 10.10.10.0/24 (or whatever) and
then
> EXTERNAL_NET to !$HOME_NET.  That will help on a lot of false postives.
>
> > preprocessor frag2
> > preprocessor stream4: detect_scans
> > preprocessor stream4_reassemble
> > preprocessor http_decode: 80 -unicode -cginull
> > preprocessor rpc_decode: 111
> > preprocessor telnet_decode
> > preprocessor portscan: $HOME_NET 4 3 portscan.log
> > output log_tcpdump: snort.log
> > output alert_full: snort_full
> > output alert_fast: snort_fast
>
> Only log one type of alerts.  Don't output to both full and fast.  The
only
> difference is the amount of info.  If you are using full then you get all
the
> same info as fast, just with a little bit extra.
>
> > does anyone have an idea about what is wrong??
>
> Hope that helps!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>





More information about the Snort-users mailing list