Snort - What change on snort.conf to detect IP list scan???

02-19-2008	#1 (permalink)
Saltamontes Just Joined! Join Date: Oct 2007 Location: Mexico Posts: 65	Snort - What change on snort.conf to detect IP list scan??? Hello to all I been testing an IDS to see if detects all kinds (that i know) of scans I used a popular program for scanning and detects almost all scans that i have tested, except one, the list of IPs from a range (#program <iplist option> X.X.0.0/X) No alert is shown in the GUI of the IDS, but the result of the scan is registered in the snort log file produced, i see it using tcpdump. i wrote a sfportscan section as follows: Code: preporcessor sfportscan: proto { all } \ scan_type { all } \ memcap { 10000000 } \ sense_level { high } \ detect_ack_scans i added the "detect_ack_scans" but don't make any difference . . . also i began to see "false positives", it means, if somebody sends a file to a webiste (for example, upload files for a internal web page) its shown like a portscan (maybe becuase the ack_scans option) Im using snort 2.8.0.1 with libpcap 0.9.4, all libraries loaded (preprocessor, engine, detection) and all rules declared. What else i need??? or wich was my mistake??? See you

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is On HTML code is Off Trackbacks are Off Pingbacks are Off Refbacks are Off