Re: [Snort-users] sfportscanner

On Tue, Feb 22, Dominic wrote:
>    I  have  enabled  the  sfportscanner  preprocessor,  but the
>    logfile never gets any data written to it. The alert file logs
>    all the IDS  events,  but I get no sfportscans, even if I use
>    nmap to scan the box. My sfportscanner config is as follows:

That's strange that you're not getting any portscan alerts at all. Off
the top of my head, do you have the flow preprocessor enabled? Send me
your config and what you think should be triggering scan alerts (off
list) and we'll figure it out.

>    preprocessor sfportscan: proto  { all } \
>                             scan_type { all } \
>                             memcap { 10000000 } \
>                             sense_level { medium } \
>                             logfile { /var/log/snort/portscan.log }

A side note about logging to a file with sfportscan: The portscan
logfile is a summary of your portscan alerts. The "Open Port" alerts
will continue to be logged to whatever your event output is set to
(ex: database) along with the portscan alert.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users