|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Snort-users] no portscan traffic
From: Murray, Todd (Todd.Murray
adidasus.com)
Date: Wed Jul 21 2004 - 14:39:54 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Your missing the conversation preprocessor and your portscan2 preprocessor
is incorrect.
Here is are mine.
preprocessor bo
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
preprocessor portscan2-ignorehosts: 10.1.5.0/24 10.2.5.0/24 10.1.2.4/32
10.1.10.2/32 10.1.10.7/32 10.1.2.5/32 10.2.2.3/32
preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 30,
port_limit 40, timeout 40, log /var/log/snort/portscan2.eth0.log
-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Adam Denenberg
Sent: Wednesday, July 21, 2004 10:44 AM
To: snort-userslists.sourceforge.net
Subject: [Snort-users] no portscan traffic
i have flow-portscan2 enabled in snort.conf but no portscan traffic is
showing up in acid. here are my plugins
any ideas?
[rootids1 docs]# grep preprocessor /etc/snort/snort.conf
preprocessor frag2: timeout 35, memcap 4194304, min_ttl 3, ttl_limit 8
preprocessor stream4: detect_scans, timeout 35, memcap 32000000, min_ttl 3,
preprocessor stream4_reassemble: both, ports all
preprocessor http_inspect: global proxy_alert iis_unicode_map
preprocessor http_inspect_server: server default profile all ports { 80 443
}
preprocessor http_inspect_server: server 207.241.152.130 bare_byte no
preprocessor http_inspect_server: server 207.241.153.143 bare_byte no
preprocessor http_inspect_server: server 207.241.152.242 bare_byte no
preprocessor http_inspect_server: server 207.241.152.249 bare_byte no
preprocessor flow: stats_interval 0 hash 2
preprocessor flow-portscan: \
preprocessor rpc_decode: 111 32771
#preprocessor bo
preprocessor telnet_decode
#preprocessor arpspoof #preprocessor arpspoof_detect_host:
192.168.40.1 f0:0f:00:f0:0f:00
thanks
adam
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]