[Snort-users] UDP Portscans Are Not Capture
erek at ...577...
Mon Sep 30 09:12:29 EDT 2002
On Mon, 30 Sep 2002, Grigoris Vidakis wrote:
> i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
> capture and aler me for upd portscans
> BUT in the same box which the same kernel and libpcap the snort Version
> 1.8.7 (Build 128) does not capture them..
Actually, it's not anything to do with snort. It's strictly the way that the
portscan preprocessor works. The spp_portscan generates one alert when a scan
starts, one alert during the scan, and one alert at the end of the scan.
These alerts don't have any packets associated with them. They will _never_
be in the pcap file.
The _only_ way snort will log a packet that was part of a portscan is if the
packet matches a rule (SYN-FIN Scan for example). If it matches a rule, then
a copy of the packet will be saved. If there is no rule, there won't be a
matching packet log.
I'm not sure if I'm stating it better here or in the other second paragraph of
the previous email. Read both and see if it helps!
More information about the Snort-users