Snort mailing list archives

Previous By Date Next
Previous By Thread Next

detecting fragmented portscan with snort 2.1.0

From: "Jochen" <dibo303 () gmx de>
Date: Fri, 23 Jan 2004 10:08:52 +0100 (MET)
Hi,

doing a portscan with e. g. nmap is logged as portscan by snort. Ok, fine.
But doing a fragmented portscan only logs a "tiny fragments"-alert and NOT
as 2nd alert a portscan.
Why?
The fraq2 preprocessor get's the pakets before flow-portscan because it is
(logically) first listed in the snort.conf. So it genereates an alarm. But
should the defragmented pakets that reach the flow-portscan preprocessor not
generate an alarm, too?
Or are alerts from two preprocessors on one packetstream not supported in
Snort 2.1.0?

Jochen

-- 
+++ GMX - die erste Adresse für Mail, Message, More +++
Bis 31.1.: TopMail + Digicam für nur 29 EUR http://www.gmx.net/topmail



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: