[Snort-users] preprocessor sfportscan does not generate alerts

Marc Belanger mab_snort at ...125...
Mon Feb 18 12:16:47 EST 2013


Thanks for your reply...
Q: "do you have those specific rules enabled?"A: My understanding is that by removing the # character the preprocessor is activated.     I am not aware of a sfportscan.rule file.    scan.rules is not commented out (no # in front of it)
Q: "do your scans follow the specific portscan rules that snort has in the preprocessor?"A: preprocessor sfportscan: proto  { tcp } scan_type { all } (...)    or preprocessor sfportscan: proto  { all } scan_type { all } (...)    does not generate alerts for     nmap -sS <dest_ip_address>

> Date: Fri, 15 Feb 2013 23:10:52 -0500
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] preprocessor sfportscan does not generate alerts
> 
> On 2/15/2013 17:04, Marc Belanger wrote:
> > Hi,
> >
> > How do I troubleshoot a Snort install that generates no alert when the
> > sfportscan preprocessor is activated?
> 
> do you have those specific rules enabled?
> 
> do your scans follow the specific portscan rules that snort has in the preprocessor?
> 
> i have seen some scans that do not trigger because there are no rules for 
> them... or they don't comply with the existing rules...
> 
> 
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
> is your hub for all things parallel software development, from weekly thought 
> leadership blogs to news, videos, case studies, tutorials, tech docs, 
> whitepapers, evaluation guides, and opinion stories. Check out the most 
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130218/0ef16b57/attachment.html>


More information about the Snort-users mailing list