[Snort-users] Cannot detect port scans
mkettler at ...4108...
Tue Oct 5 11:35:32 EDT 2004
At 02:03 PM 10/5/2004, RD R wrote:
>I have snort running on an XP Pro box with MySQL and Acid and
>Winpcap. Everything is working fine, however I cannot detect port
>scans. I have run nmap and superscan against my network and I cannot
>detect them. I set the XP box to 0.0.0.0 for IP and I placed the box
>inside of the firewall. I spanned the ports on our cisco switch and I am
>monitoring any traffic that crosses the switch. I would like to include
>my snort.conf file so all can see it but when I do the list rejects my
>email :( How can I enable the port scan, I have uncommented the Flow port
>scan preproccesors. Thanks.
From looking at your snort.conf you've got flow-portscan enabled and your
watchnet set to 10.2.0.0/30.
Have you fired up a packet sniffer such as packetyzer, windump, etc, to
verify the portscans to 10.2.0.0/30 are actually reaching your snort box?
I know you've got a span port set on your switch, but I'd really suggest
the sniffer so you can verify it's really doing what you think.
P.S. your snort.conf came across just fine in both of your previous posts
(yesterday morning and this morning). Those rejection messages were
probably generated by broken mailservers of some subscribers who don't
understand RFC requirements for email return-paths, or are using crappy
"mail filter" tools that don't understand RFC requirements. If you look
closely you'll see it wasn't generated by a sourceforge machine, but some
other network's broken mailserver and it's sending it to you (the message
From: address) rather than the envelope return (which should go to the list
Some of these systems bounce any message back in a broken manner that
contain a single instance of a list of words like vulnerability or exploit
thinking it's pornographic or ink thinking it's printer cartridge spam.
Gotta love broken spam filtering with severely broken bouncing.
Ignore the broken rejections, or if the recipient is obvious report them to
the list-admin so they can be removed from the list before they cause more
More information about the Snort-users