[Snort-users] Snort not seeing all traffic?

Erick Mechler emechler at ...7719...
Thu Apr 24 08:50:09 EDT 2003


:: I am referring to "alerts" I guess... With that said, I can not find 
:: "rules" via snort-center, that pertain to port scanning and or the exploits 
:: like cmd.exe and root.exe... As for the rest, should I run something like 
:: Ethereal and check traffic that way?

Portscanning is taken care of via the portscan2 preprocessor (Config Types 
--> Preprocessors --> Create preprocessors).  As for the cmd.exe and 
root.exe rules, check SIDs 1661, 1002, and 1256 among others.

Re: Ethereal, that's just a sniffer, so unless you actually want to look
through all your packets looking for bad stuff, I'd just stick with
customizing your Snort rulebase to fit your needs.

Cheers - Erick




More information about the Snort-users mailing list