[Snort-users] preprocessor sfportscan does not generate alerts

johnny.venter johnny.venter at ...15370...
Mon Feb 25 09:55:55 EST 2013


I need clarification on preprocessors and rules.  In the example, below, the preprocessor for sfportscan is "enabled" and it writes an output log to a certain directory when I detects a portscan.  But Snort will *NOT* generate an event unless there is a rule enabled for a portscan???

I have a similar situation where sfportscan is enabled and writes to a log directory.  It successfully detects various Nmap/Scapy port scans.  But Snort never generates an alert in the u2 file.

Is there way to generate an alert without creating specific port scan rule?  If not, this would seem redundant because sfportscan already successfully detects portscans.


Thanks.

On Feb 18, 2013, at 4:24 PM, waldo kitty  wrote:

On 2/18/2013 12:16, Marc Belanger wrote:
Thanks for your reply...

Q: "do you have those specific rules enabled?"
A: My understanding is that by removing the # character the preprocessor is
activated.
I am not aware of a sfportscan.rule file.
scan.rules is not commented out (no # in front of it)

Q: "do your scans follow the specific portscan rules that snort has in the
preprocessor?"
A: preprocessor sfportscan: proto { tcp } scan_type { all } (...)
or preprocessor sfportscan: proto { all } scan_type { all } (...)
does not generate alerts for nmap -sS 

right... some scans are not detected by the portscanner... there are specific 
rules written for them... in this particular case, the EmergingThreats rule 
1:2000537 or 1:2000545 covers "nmap -sS"... i count at least twenty-five (25) 
nmap related rules in both the VRT and the ET rules sets...

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!








More information about the Snort-users mailing list