[Snort-users] sfportsan alert

repniksz at ...13889... repniksz at ...13889...
Mon Aug 7 09:15:50 EDT 2006


Hi,
I'm testing my snort with nmap, but my alert file not to detailed.
I've tried most type of scanning ( XMAS, NULL, SYN ) but in my alert file 
there is not any differnce among them.
example:

[**] [1:469:3] ICMP PING NMAP [**] 
[Classification: Attempted Information Leak] [Priority: 2] 
08/04-14:53:28.975760 xx.xx.xx.xx -> xx.xx.xx.xx 
ICMP TTL:42 TOS:0x0 ID:14704 IpLen:20 DgmLen:28 
Type:8 Code:0 ID:64838 Seq:61002 ECHO 
[Xref => http://www.whitehats.com/info/IDS162] 

[**] [1:469:3] ICMP PING NMAP [**] 
[Classification: Attempted Information Leak] [Priority: 2] 
08/04-15:00:28.942357 xx.xx.xx.xx -> xx.xx.xx.xx 
ICMP TTL:48 TOS:0x0 ID:6833 IpLen:20 DgmLen:28 
Type:8 Code:0 ID:12336 Seq:13155 ECHO 
[Xref => http://www.whitehats.com/info/IDS162] 

my snort.conf:

preprocessor sfportscan: proto { all } \ 
memcap { 10000000 } \ 
sense_level { high } 

I would like to have a message like in a scan.alert. (example: msg:"SCAN 
XMAS") 

thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060807/0b0d6069/attachment.html>


More information about the Snort-users mailing list