[Snort-users] Cannot detect port scans

Matt Kettler mkettler at ...4108...
Tue Oct 5 11:35:32 EDT 2004


At 02:03 PM 10/5/2004, RD R wrote:
>I have snort running on an XP Pro box with MySQL and Acid and 
>Winpcap.  Everything is working fine, however I cannot detect port 
>scans.  I have run nmap and superscan against my network and I cannot 
>detect them.  I set the XP box to 0.0.0.0 for IP and I placed the box 
>inside of the firewall.  I spanned the ports on our cisco switch and I am 
>monitoring any traffic that crosses the switch.  I would like to include 
>my snort.conf file so all can see it but when I do the list rejects my 
>email :(  How can I enable the port scan, I have uncommented the Flow port 
>scan preproccesors.  Thanks.

 From looking at your snort.conf you've got flow-portscan enabled and your 
watchnet set to 10.2.0.0/30.

Have you fired up a packet sniffer such as packetyzer, windump, etc, to 
verify the portscans to 10.2.0.0/30 are actually reaching your snort box?

I know you've got a span port set on your switch, but I'd really suggest 
the sniffer so you can verify it's really doing what you think.



P.S. your snort.conf came across just fine in both of your previous posts 
(yesterday morning and this morning). Those rejection messages were 
probably generated by broken mailservers of some subscribers who don't 
understand RFC requirements for email return-paths, or are using crappy 
"mail filter" tools that don't understand RFC requirements. If you look 
closely you'll see it wasn't generated by a sourceforge machine, but some 
other network's broken mailserver and it's sending it to you (the message 
From: address) rather than the envelope return (which should go to the list 
admin).

Some of these systems bounce any message back in a broken manner that 
contain a single instance of a list of words like vulnerability or exploit 
thinking it's pornographic or ink thinking it's printer cartridge spam. 
Gotta love broken spam filtering with severely broken bouncing.

Ignore the broken rejections, or if the recipient is obvious report them to 
the list-admin so they can be removed from the list before they cause more 
trouble.








More information about the Snort-users mailing list