Thu Nov 23 16:36:19 EST 2017
# portscan: detect a variety of portscans
# portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.
preprocessor portscan: $HOME_NET 4 3 portscan.log
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
preprocessor portscan-ignorehosts: $DNS_SERVERS
Now, depending on a few things, you might not be tripping the preprocessor.
Have you changed the "4 3" config? Are you using DNS_SERVERS? If so, make
sure you're not trying to scan a host in the ignorelist. What is the timing
level you're using for nmap (-T <option>)?
Sounds like a config issue, since you can see the packets on the wire when you
sniff for them....
More information about the Snort-users