[Snort-users] UDP Portscans Are Not Capture
gammon.mcclure at ...4990...
Mon Sep 30 10:31:16 EDT 2002
I've seen similar lack of UDP scans (1.8.7 b93) in the portscan.log files (none since March 5). Not too bothersome since we deny udp inbound, but the question did nag at me. My C skills are pretty limited (bordering non-existant), but looking at spp_portscan.c it appears to this novice that the "Compile Time Settings" just prior to the LogScanInfoToSeparateFile subroutine, set the default scansToWatch = ~(sRESERVEDBITS | sUDP); with commented out options to watch everything. Could this be the source of the problem?
From: James Hoagland [mailto:hoagland at ...47...]
Sent: Monday, September 30, 2002 12:37 PM
To: Grigoris Vidakis; Erek Adams
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] UDP Portscans Are Not Capture
>>At 6:53 PM +0300 9/30/02, Grigoris Vidakis wrote:
>>i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
>>capture and aler me for upd portscans
>>BUT in the same box which the same kernel and libpcap the snort Version
>>1.8.7 (Build 128) does not capture them..
>To be clear, are you giving the same file as input (with -r) both
>times. That is, are both snorts seeing the same stream of packets?
>If this is the case, then we'll need to investigate.
More information about the Snort-users