[Snort-users] Snort 2.6.1 false negative - not detecting port scans
hpsekhon at ...14012...
Thu Jun 19 04:32:17 EDT 2008
For this sensor it is sensing on the same nic as the mgmt address so I
am scanning that address.
This sensor is really a test sensor against which I've been trying
various things out (which is why the sensing interface is the same as
the mgmt interface). I made massive changes to the snort.conf in the
course of tuning it, and I am scanning from the same subnet. Having just
written this I realised that my EXTERNAL_NET was set to !$HOME_NET so
this was probably stopping it from detecting the traffic. Switching this
to any seems to again pick up scans from my workstation now. I forgot
that the preprocessors may also use EXTERNAL_NET, not just the rules...
> Where is the scan being run from? Same subnet? Behind a firewall?
> You mention you are doing the scan against the sensors. Are you
> scanning the sensor MGMT IP address or the network that the sensor is
> On Fri, Jun 13, 2008 at 5:59 AM, Hari Sekhon <hpsekhon at ...14012...> wrote:
>> I have a couple of snort sensors with the sfportscan preprocessor
>> enabled and set to sensitivity high with no ignored scanners and have
>> then proceeded to test this using nmap to do the most standard syn and
>> connect scans directly against those sensors and snort has failed on
>> both sensors to detect this.
>> I am outputting to both syslog and base via barnyard and no portscan
>> alerts have been logged, nor has the unified alert file grown at all, so
>> snort is definitely not logging this. I am sure snort was logging this
>> before the other day when I was testing this.
>> Any ideas why snort is failing such a basic test?
>> Hari Sekhon
More information about the Snort-users