[Snort-users] Flow-portscan oddity

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Tue Apr 13 08:22:26 EDT 2004


Yes, everyone says this... And I've checked it out many times over, and
adjusted my numbers accordingly... And yet... Not a single alert.   I've
tried the different alert modes, different output methods... Very small
numbers on requirements.

But it seems to me that the default setup, by my reading of the doc
file... If I were to scan a system on that network across all 65535
ports in the span of 15 seconds, that there should be at least 1 (ONE)
alert.  But when I do the same thing across 30 machines on the same
network and all 65k ports in the span of a few minutes, nothing as well.
So it seems to me that there is either something wrong with either or
both of the documentation and the preprocessor.

If it comes down to it, I have copies of the 20 or so different configs
I've run. 

-----Original Message-----
From: Martin Roesch [mailto:roesch at ...1935...] 
Sent: Tuesday, April 13, 2004 8:56 AM
To: Guillaume Arcas
Cc: Snort Users
Subject: Re: [Snort-users] Flow-portscan oddity

Check out README.flow-portscan in the doc directory of your snort 
distro.

      -Marty

On Apr 13, 2004, at 2:31 AM, Guillaume Arcas wrote:

> Kreimendahl, Chad J a dit :
>>
>> Using the default configuration for flow and flow portscan... And
>> testing it on an external interface... We're seeing absolutely no 
>> alerts
>> triggered.  I've attempted using many output mechanisms, hoping that 
>> it
>> wasn't the method we were using, and the results are the same.   I'm
>> 100% positive there were several scans happening on this same 
>> interface,
>> as I ran portscan2 at the same time with a different snort, on the 
>> same
>> interface.   Many noisy ugly alerts from portscan2... Nothing from
>> flow-portscan.
>
> Same for me...
>
> Is there anywhere out of the code itself some documentation about this
> plugin and its configuration ?
>
>
> -- 
> Guillaume Arcas
>
> --------------------------------------------------
> Il faut nous quitter. Nous sommes deux enfants,
> nous avons fait une folie. (Yvonne de Galais)
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list