[Snort-users] port scan detection

Soniya Balram sonia_balram at ...131...
Mon Oct 20 00:43:00 EDT 2008


Hi all,
I use Snort version 2.8.3.1 on a windows xp machine. I want to detect port scans. I have enabled sfportscan preprocessor. The config is:
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         scan_type { all } \
                         sense_level { high } \
                         detect_ack_scans
I have also enabled stream4 preprocessor. The config is:
preprocessor stream4: detect_scans

I have not enabled any rules. I use nmap to generate different types of scans but no alerts are generated.

To test snort, I wrote a rule:
alert tcp any any -> any any (msg:"got an tcp packet"; sid:2000000; rev:1;)
This results in alerts. 

Can anyone help.

Regards
Soniya

Send instant messages to your online friends http://uk.messenger.yahoo.com




More information about the Snort-users mailing list