No subject

Thu Nov 23 16:36:19 EST 2017

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
preprocessor portscan-ignorehosts: $DNS_SERVERS

Now, depending on a few things, you might not be tripping the preprocessor.
Have you changed the "4 3" config?  Are you using DNS_SERVERS?  If so, make
sure you're not trying to scan a host in the ignorelist.  What is the timing
level you're using for nmap (-T <option>)?

Sounds like a config issue, since you can see the packets on the wire when you
sniff for them....

Good luck!

Erek Adams

More information about the Snort-users mailing list