[Snort-users] oh, come on

Matt Kettler mkettler at ...4108...
Wed Sep 24 12:30:27 EDT 2003


At 02:27 PM 9/24/2003, Raymond Norton wrote:
>Being the novice I am with compiling and diagnosing errors I was really
>proud of myself when I followed the redhat 9.0 install docs and got
>everything working. httpd, mysql, and snort are all running without
>complaint. I pulled up the nice acid page and commenced to do a port scan,
>but snort does not respond to it. My page stays the same (0 hits). I looked
>over the faq to see what might be there, and verified that I have everything
>set right. I substituted "log" with "alert" in the snort.conf without any
>luck.

Unless you have the portscan or portscan2 preprocessors, snort does not 
notice or care about trivial things like portscans.

Snort's ruleset in general looks for actual attack attempts. Packets that 
appear to be attempting overflows, exploitation of mis-features in DNS and 
the like.

Try using something like nessus, or adding a snort rule that will alert on 
anything.

Also be sure that the HOME_NET and EXTERNAL_NET definitions are appropriate 
relative to the attack you are trying.. In general most rules ignore 
attacks unless they come from a machine in EXTERNAL_NET and go to a machine 
in HOME_NET.

Portscans are so absurdly common these days that personally I give them no 
notice whatsoever. You may as well have a physical security guard make a 
note anytime a car enters your company parking lot containing more than one 
person.





More information about the Snort-users mailing list