Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > GNU Linux Zone > Linux Security
Reload this Page Snort - What change on snort.conf to detect IP list scan???
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

Linux Security Discussion about keeping your machines secure, and the crackers out.

Reply
 
Thread Tools Display Modes
Old 02-19-2008   #1 (permalink)
Saltamontes
Just Joined!
 
Join Date: Oct 2007
Location: Mexico
Posts: 44
Snort - What change on snort.conf to detect IP list scan???
Hello to all

I been testing an IDS to see if detects all kinds (that i know) of scans

I used a popular program for scanning and detects almost all scans that i have tested, except one, the list of IPs from a range (#program <iplist option> X.X.0.0/X)

No alert is shown in the GUI of the IDS, but the result of the scan is registered in the snort log file produced, i see it using tcpdump.

i wrote a sfportscan section as follows:

Code:
preporcessor sfportscan: proto { all } \
                                  scan_type  { all } \
                                  memcap { 10000000 } \
                                  sense_level { high } \
                                  detect_ack_scans
i added the "detect_ack_scans" but don't make any difference . . .
also i began to see "false positives", it means, if somebody sends a file to a webiste (for example, upload files for a internal web page) its shown like a portscan (maybe becuase the ack_scans option)

Im using snort 2.8.0.1 with libpcap 0.9.4, all libraries loaded (preprocessor, engine, detection) and all rules declared.

What else i need???
or
wich was my mistake???


See you
Saltamontes is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Xandros: apt-get error [0cc]Vince Debian Linux Help 2 10-14-2005 08:07 AM
squid + squidguard on FC4 krolrules Servers 10 07-12-2005 03:26 PM
3com USB wireless Lan adapter heretic03 Linux Networking 9 06-19-2005 09:19 PM
Asking good questions (2) jasonlambert Linux Newbie 5 12-13-2004 09:22 PM
try out this simple port scanner that im working on in perl hex Linux Security 0 04-10-2004 03:09 AM




All times are GMT. The time now is 11:09 AM.



Contact Us | Advertise | Archive | Top
© 2000 - 2008 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.0.0