[Snort-users] Snort-2.1.3 Portscan
This is a discussion on [Snort-users] Snort-2.1.3 Portscan within the Snort forums, part of the System Security and Security Related category; One thing I should clarify about my previous post; You can get portscan alerts to log and display in the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-16-2004
|
|||
|
|||
[Snort-users] Snort-2.1.3 Portscan
One thing I should clarify about my previous post;
You can get portscan alerts to log and display in the ACID atlert pages, j= ust not in the main page with the traffic profile bars. It also doesn't dis= play in a very readable format, as you have to set output-mode to 'pktkludg= e' in the flow-portscan configuration section. John McCash -----Original Message----- From: McCash, John=20 Sent: Monday, August 16, 2004 2:10 PM To: 'Scott Elgram'; snort-users@lists.sourceforge.net; 'erek@snort.org' Subject: RE: [Snort-users] Snort-2.1.3 Portscan Scott, This needs to go in the FAQ. Because Roman hasn't updated ACID in ages, it= lacks support for flow-portscan. To get ACID to properly recognize portsca= ns, you need to go back to portscan2, which is still implemented in the cod= e, but no longer listed in the default conf file. There are a number of art= icles in the snort-users mailinglist archives that address this, including = http://marc.theaimsgroup.com/?l=3Dsn...48107572&w=3D2. On= a side note, Roman is purportedly working on a major update for ACID in co= njunction with other work, but it's apparently going slow. We're hoping for= something in the Q1 '05' timeframe. John McCash -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Scott Elgram Sent: Monday, August 16, 2004 10:45 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] Snort-2.1.3 Portscan Hello, I am trying to configure a SNORT 2.1.3 system with MySql and Acid. I have it all up and running just fine right now except for one thing. I can't seem to get anything to register in the port scan traffic section of Acid. I have looked through my Snort.conf for anything and found the flow-portscan preprocessor. I uncommented it and configured it as follows: -------------------------------------------------------- preprocessor flow-portscan: \ unique-memcap 5000000 \ unique-rows 50000 \ server-watchnet [192.168.0.0/24] \ server-learning-time 300 \ server-scanner-limit 50 \ alert-mode once \ output-mode msg \ tcp-penalties on -------------------------------------------------------- Even with this configuration I still can't seem to get anything to register in that particular section. I am using superscan and scanning various IP's on the network SNORT is watching. Have I configured this wron= g maybe? Thanks, -Scott ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ---------------------------------------------------------------------------= --------------------- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. =20 If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ---------------------------------------------------------------------------= --------------------- [mf2] ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
