On Thu, Mar 08, 2001 at 07:11:35PM -0800, jason lee wrote:
> Thank u, Crist.
>
> yup,my snort is working properly but SF
> attacks...oooh.
>
> in my snort.conf:
> ......
> HOME_NET 0.0.0.0
> ......
> preprocessor minfrag: 128
> preprocessor defrag
> ......
> preprocessor portscan: $HOME_NET 4 3 /var/log/syslog
> ......
>
> And all *.rules were included in snort.conf.I am sure
> that there is no problem in my configuration. I have
> tried nmap and its scans were picked up by snort in my
> syslog.
> How can i do now?Any help would be greatly
> appreciated.

Do you have a 'portscan-ignorehosts' line? You say that nmap port
scans are detected. Have you verified that your SYN scan is actually
reaching the target? If you do a tcpdump on the Snort host, do you see
the SYN scan coming in?

-- 
Crist J. Clark                           cjclarkalum.mit.edu
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]