Snort mailing list archives

RE: nmap scans don't appear in portscan.log

From: "Estes, Matt: CPR / FCBS" <Matt.Estes () eis army mil>
Date: Mon, 1 Apr 2002 16:54:11 -0500

If it detected it once already, then might be a network issue.  Are you sure
that you actually see the scan traffic from another machine (not IDS
machine) to another machine?  Try "snort -vde host [host ip]" to filter out
only that host, then rerun your scan and look for lots of crap (technical
term) flying past the screen.  If you see the scan, it's a snort config
problem, if not, a network problem.

If you are on a switch, it's possible it is not allowing that traffic to
your host or not allowing your host to enter promiscuous mode.  Or, your
interface is acting a bit strange.

Matt

-----Original Message-----
From: Salomon, Charlie [mailto:csalomon () Elemica com]
Sent: Monday, April 01, 2002 3:25 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] nmap scans don't appear in portscan.log


I'm a Snort newbie and need some help.  I configured Snort 1.8.4 on Linux
(Slackware 7.1) with the default snort.conf file except for the HOME_NET
variable.  We use a 172.xx.x.0 internal network with a 255.255.252.0 mask.
The HOME_NET entry is 172.xx.x.0/22.  

I ran nmap against the Snort box and the scans were properly detected.
However, when I ran a scan against nother machines on our network, the scans
were not detected.  I am running snort as a daemon with the following
parameters:

snort -b -y -A fast -c snort.conf -M wrkstns -D

I ran snort -vde, and I am seeing packets from other machines.
All scans are from an internal machine to other internal machines, and on
the same subnet.  
All preprocesors pertaining to scans are active as well as the scan.rules.

I reviewed the scan.rules file and all the rules contain entries such as
"alert tcp $EXTERNAL_NET any -> $HOME_NET any yadda, yadda, yadda". I
thought that Snort might not detect a scan if it came from the same subnet.
I then added (copied actually) the rules pertaining to nmap and changed the
$EXTERNAL_NET to $HOME_NET, so the new rules read:

"alert tcp $HOME_NET any -> $HOME_NET any yadda, yadda, yadda"  

I ran nmap again and still no entry in the portscan.log.  

If someone could point me in the right direction, I'd greatly appreciate it.

Charlie Salomon


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

nmap scans don't appear in portscan.log Salomon, Charlie (Apr 01)
- Re: nmap scans don't appear in portscan.log Erek Adams (Apr 01)
- <Possible follow-ups>
- Re: nmap scans don't appear in portscan.log Jason Yates (Apr 01)
- RE: nmap scans don't appear in portscan.log Estes, Matt: CPR / FCBS (Apr 02)
- RE: nmap scans don't appear in portscan.log Fallon, Benjamin (Apr 02)