Hello to all

I been testing an IDS to see if detects all kinds (that i know) of scans

I used a popular program for scanning and detects almost all scans that i have tested, except one, the list of IPs from a range (#program <iplist option> X.X.0.0/X)

No alert is shown in the GUI of the IDS, but the result of the scan is registered in the snort log file produced, i see it using tcpdump.

i wrote a sfportscan section as follows:

Code:
preporcessor sfportscan: proto { all } \
                                  scan_type  { all } \
                                  memcap { 10000000 } \
                                  sense_level { high } \
                                  detect_ack_scans
i added the "detect_ack_scans" but don't make any difference . . .
also i began to see "false positives", it means, if somebody sends a file to a webiste (for example, upload files for a internal web page) its shown like a portscan (maybe becuase the ack_scans option)

Im using snort 2.8.0.1 with libpcap 0.9.4, all libraries loaded (preprocessor, engine, detection) and all rules declared.

What else i need???
or
wich was my mistake???


See you