[Snort-users] port scan detection

Soniya Balram sonia_balram at ...131...
Fri Oct 24 02:51:42 EDT 2008


Hi all,
sfportscan preprocessor is generating alerts now. I added logfile { portscan.log } to the preprocessor config in snort.conf.

Is there some documentation on how sfportscan is implemented?

Regards
Soniya

--- On Mon, 20/10/08, Soniya Balram <sonia_balram at ...131...> wrote:

> From: Soniya Balram <sonia_balram at ...131...>
> Subject: [Snort-users] port scan detection
> To: snort-users at lists.sourceforge.net
> Date: Monday, 20 October, 2008, 10:13 AM
> Hi all,
> I use Snort version 2.8.3.1 on a windows xp machine. I want
> to detect port scans. I have enabled sfportscan
> preprocessor. The config is:
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          scan_type { all } \
>                          sense_level { high } \
>                          detect_ack_scans
> I have also enabled stream4 preprocessor. The config is:
> preprocessor stream4: detect_scans
> 
> I have not enabled any rules. I use nmap to generate
> different types of scans but no alerts are generated.
> 
> To test snort, I wrote a rule:
> alert tcp any any -> any any (msg:"got an tcp
> packet"; sid:2000000; rev:1;)
> This results in alerts. 
> 
> Can anyone help.
> 
> Regards
> Soniya
> 
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com 
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> #
> " This e-mail and any attached documents may contain
> confidential or proprietary information. If you are not the
> intended recipient, please advise the sender immediately and
> delete this e-mail and all attached documents from your
> computer system. Any unauthorised disclosure, distribution
> or copying hereof is prohibited."
> 
>  " Ce courriel et les documents qui y sont attaches
> peuvent contenir des informations confidentielles. Si vous
> n'etes  pas le destinataire escompte, merci d'en
> informer l'expediteur immediatement et de detruire ce
> courriel  ainsi que tous les documents attaches de votre
> systeme informatique. Toute divulgation, distribution ou
> copie du present courriel et des documents attaches sans
> autorisation prealable de son emetteur est interdite."
> #







More information about the Snort-users mailing list