[Snort-users] Snort 2.6.1 false negative - not detecting port scans
hpsekhon at ...14012...
Fri Jun 13 05:59:18 EDT 2008
I have a couple of snort sensors with the sfportscan preprocessor
enabled and set to sensitivity high with no ignored scanners and have
then proceeded to test this using nmap to do the most standard syn and
connect scans directly against those sensors and snort has failed on
both sensors to detect this.
I am outputting to both syslog and base via barnyard and no portscan
alerts have been logged, nor has the unified alert file grown at all, so
snort is definitely not logging this. I am sure snort was logging this
before the other day when I was testing this.
Any ideas why snort is failing such a basic test?
More information about the Snort-users