[Snort-users] Snort not seeing all traffic?

PJ p.jones.ml at ...8985...
Thu Apr 24 11:37:06 EDT 2003

Ok, following what you said, I looked for  the preprocessor lines in my 
config and saw nothing for portscan2, I created the preprocessor, though I 
was wondering if I should leave all the values  blank?

Also, I checked the rules and noted that the ones I was concerned about 
(cmd.exe ...) are activated...why would Snort not see this type of attack 
(my guess is several reasons, all that are beyond my education level at 
this moment I fear)?

Thanks for all the help folks.


   At 08:48 AM 4/24/2003 -0700, Erick Mechler wrote:
>:: I am referring to "alerts" I guess... With that said, I can not find
>:: "rules" via snort-center, that pertain to port scanning and or the 
>:: like cmd.exe and root.exe... As for the rest, should I run something like
>:: Ethereal and check traffic that way?
>Portscanning is taken care of via the portscan2 preprocessor (Config Types
>--> Preprocessors --> Create preprocessors).  As for the cmd.exe and
>root.exe rules, check SIDs 1661, 1002, and 1256 among others.
>Re: Ethereal, that's just a sniffer, so unless you actually want to look
>through all your packets looking for bad stuff, I'd just stick with
>customizing your Snort rulebase to fit your needs.
>Cheers - Erick

More information about the Snort-users mailing list