[Snort-users] Snort 2.6.1 false negative - not detecting port scans

Hari Sekhon hpsekhon at ...14012...
Thu Jun 19 04:32:17 EDT 2008


For this sensor it is sensing on the same nic as the mgmt address so I 
am scanning that address.

This sensor is really a test sensor against which I've been trying 
various things out (which is why the sensing interface is the same as 
the mgmt interface). I made massive changes to the snort.conf in the 
course of tuning it, and I am scanning from the same subnet. Having just 
written this I realised that my EXTERNAL_NET was set to !$HOME_NET so 
this was probably stopping it from detecting the traffic. Switching this 
to any seems to again pick up scans from my workstation now. I forgot 
that the preprocessors may also use EXTERNAL_NET, not just the rules...

Thanks

-h

Seth wrote:
> Where is the scan being run from?  Same subnet?  Behind a firewall?
>
> You mention you are doing the scan against the sensors. Are you
> scanning the sensor MGMT IP address or the network that the sensor is
> protecting?
>
> Regards,
>
> Seth
>
> On Fri, Jun 13, 2008 at 5:59 AM, Hari Sekhon <hpsekhon at ...14012...> wrote:
>   
>> Hi,
>>
>>   I have a couple of snort sensors with the sfportscan preprocessor
>> enabled and set to sensitivity high with no ignored scanners and have
>> then proceeded to test this using nmap to do the most standard syn and
>> connect scans directly against those sensors and snort has failed on
>> both sensors to detect this.
>>
>> I am outputting to both syslog and base via barnyard and no portscan
>> alerts have been logged, nor has the unified alert file grown at all, so
>> snort is definitely not logging this. I am sure snort was logging this
>> before the other day when I was testing this.
>>
>> Any ideas why snort is failing such a basic test?
>>
>> -h
>>
>> --
>> Hari Sekhon
>>     
-- 
Hari Sekhon





More information about the Snort-users mailing list