RE: UDP Portscans Are Not Capture

[McClure Gammon <gammon.mcclure () volvo com>]

Hi All,
I've seen similar lack of UDP scans (1.8.7 b93) in the portscan.log files (none since March 5).  Not too bothersome 
since we deny udp inbound, but the question did nag at me.  My C skills are pretty limited (bordering non-existant), 
but looking at spp_portscan.c it appears to this novice that the "Compile Time Settings" just prior to the 
LogScanInfoToSeparateFile subroutine, set the default scansToWatch = ~(sRESERVEDBITS | sUDP); with commented out 
options to watch everything.  Could this be the source of the problem?

Best Regards,
Gammon

-----Original Message-----
From: James Hoagland [mailto:hoagland () SiliconDefense com]
Sent: Monday, September 30, 2002 12:37 PM
To: Grigoris Vidakis; Erek Adams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] UDP Portscans Are Not Capture


> > At 6:53 PM +0300 9/30/02, Grigoris Vidakis wrote:
> > dear sir
> > i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
> > capture and aler me for upd portscans
> > BUT in the same box which the same kernel and libpcap the snort Version
> > 1.8.7 (Build 128) does not capture them..

> To be clear, are you giving the same file as input (with -r) both 
> times.  That is, are both snorts seeing the same stream of packets? 
> If this is the case, then we'll need to investigate.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users