[Snort-users] UDP Portscans Are Not Capture

Erek Adams erek at ...577...
Mon Sep 30 09:12:29 EDT 2002


On Mon, 30 Sep 2002, Grigoris Vidakis wrote:

> i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
> capture and aler me for upd portscans
> BUT in the same box which the same kernel and libpcap the snort Version
> 1.8.7 (Build 128) does not capture them..

Actually, it's not anything to do with snort.  It's strictly the way that the
portscan preprocessor works.  The spp_portscan generates one alert when a scan
starts, one alert during the scan, and one alert at the end of the scan.
These alerts don't have any packets associated with them.  They will _never_
be in the pcap file.

The _only_ way snort will log a packet that was part of a portscan is if the
packet matches a rule (SYN-FIN Scan for example).  If it matches a rule, then
a copy of the packet will be saved.  If there is no rule, there won't be a
matching packet log.

I'm not sure if I'm stating it better here or in the other second paragraph of
the previous email.  Read both and see if it helps!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list