Results 1 to 1 of 1
Hello to all
I been testing an IDS to see if detects all kinds (that i know) of scans
I used a popular program for scanning and detects almost all ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-19-2008 #1Just Joined!
- Join Date
- Oct 2007
- Location
- Mexico
- Posts
- 65
Snort - What change on snort.conf to detect IP list scan???
Hello to all
I been testing an IDS to see if detects all kinds (that i know) of scans
I used a popular program for scanning and detects almost all scans that i have tested, except one, the list of IPs from a range (#program <iplist option> X.X.0.0/X)
No alert is shown in the GUI of the IDS, but the result of the scan is registered in the snort log file produced, i see it using tcpdump.
i wrote a sfportscan section as follows:
i added the "detect_ack_scans" but don't make any difference . . .Code:preporcessor sfportscan: proto { all } \ scan_type { all } \ memcap { 10000000 } \ sense_level { high } \ detect_ack_scans
also i began to see "false positives", it means, if somebody sends a file to a webiste (for example, upload files for a internal web page) its shown like a portscan (maybe becuase the ack_scans option)
Im using snort 2.8.0.1 with libpcap 0.9.4, all libraries loaded (preprocessor, engine, detection) and all rules declared.
What else i need???
or
wich was my mistake???
See you
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
