[Snort-users] preprocessor sfportscan does not generate alerts

waldo kitty wkitty42 at ...14940...
Mon Feb 18 16:24:08 EST 2013


On 2/18/2013 12:16, Marc Belanger wrote:
> Thanks for your reply...
>
> Q: "do you have those specific rules enabled?"
> A: My understanding is that by removing the # character the preprocessor is
> activated.
> I am not aware of a sfportscan.rule file.
> scan.rules is not commented out (no # in front of it)
>
> Q: "do your scans follow the specific portscan rules that snort has in the
> preprocessor?"
> A: preprocessor sfportscan: proto { tcp } scan_type { all } (...)
> or preprocessor sfportscan: proto { all } scan_type { all } (...)
> does not generate alerts for nmap -sS <dest_ip_address>

right... some scans are not detected by the portscanner... there are specific 
rules written for them... in this particular case, the EmergingThreats rule 
1:2000537 or 1:2000545 covers "nmap -sS"... i count at least twenty-five (25) 
nmap related rules in both the VRT and the ET rules sets...




More information about the Snort-users mailing list