[Snort-users] Snort not seeing all traffic?
p.jones.ml at ...8985...
Thu Apr 24 11:37:06 EDT 2003
Ok, following what you said, I looked for the preprocessor lines in my
config and saw nothing for portscan2, I created the preprocessor, though I
was wondering if I should leave all the values blank?
Also, I checked the rules and noted that the ones I was concerned about
(cmd.exe ...) are activated...why would Snort not see this type of attack
(my guess is several reasons, all that are beyond my education level at
this moment I fear)?
Thanks for all the help folks.
At 08:48 AM 4/24/2003 -0700, Erick Mechler wrote:
>:: I am referring to "alerts" I guess... With that said, I can not find
>:: "rules" via snort-center, that pertain to port scanning and or the
>:: like cmd.exe and root.exe... As for the rest, should I run something like
>:: Ethereal and check traffic that way?
>Portscanning is taken care of via the portscan2 preprocessor (Config Types
>--> Preprocessors --> Create preprocessors). As for the cmd.exe and
>root.exe rules, check SIDs 1661, 1002, and 1256 among others.
>Re: Ethereal, that's just a sniffer, so unless you actually want to look
>through all your packets looking for bad stuff, I'd just stick with
>customizing your Snort rulebase to fit your needs.
>Cheers - Erick
More information about the Snort-users