[Snort-users] TCP PORTSCAN - log all packets?

Matt Kettler mkettler at ...4108...
Mon Jun 6 14:21:18 EDT 2005


Daniel Rocha wrote:
> I am running snort 2.3.0 (Build 10) and in my snort.conf i enabled:
> "output log_tcpdump: tcpdump.log" to log in binary tcpdump mode.
> 
> I am having a problem when i run a tcp portscan (and other types). I
> need to see all packets relative with the portscan in the log, and
> just two packets are logged, like:
> 
> 16:13:10.119122 IP 192.168.254.2 > 192.168.254.7: icmp 8: echo request seq 0
> 16:13:10.451484 IP 192.168.254.2 > 192.168.254.7:  raw 147
> 
> And the alert file show:
> 
> [**] [1:469:3] ICMP PING NMAP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 06/06-16:13:10.119122 192.168.254.2 -> 192.168.254.7
> ICMP TTL:48 TOS:0x0 ID:52088 IpLen:20 DgmLen:28
> Type:8  Code:0  ID:2209   Seq:0  ECHO
> [Xref => http://www.whitehats.com/info/IDS162]
> 
> [**] [122:1:0] (portscan) TCP Portscan [**]
> 06/06-16:13:10.451484 192.168.254.2 -> 192.168.254.7
> RAW TTL:0 TOS:0x0 ID:22633 IpLen:20 DgmLen:167 DF
> 
> Anyone knows how can i log all packets?
> 

You'd need to log *ALL* packets to do this. ie:

log any any -> any any


NMAP scans are all over the place, and most of the packets look "ordinary" so
there's no good way for an IDS to identify every packet in a NMAP scan. It's
only going to be able to identify some of the unusual packets NMAP uses during
its host ping, and during its OS identification.


p.s. if at first you don't get a reply, don't repost the exact same message
again. It makes you appear less smart than you are. If you must repost, at least
try revising your message so it is more clear.





More information about the Snort-users mailing list