Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Missing Portscan Records in 2.8

from [frederick sonnichsen] Network Security [Permanent Link]
Subject: [Snort-users] Missing Portscan Records in 2.8
Date: Mon, 31 Mar 2008 14:22:24 -0400
I have recently installed snort 2.8.0.2 and I no longer get very many portscan alerts when compared to my older version, 2.3.3.
Looking at the older alert files, I see records such as the one below. These are missing from my 2.8.0.2 output:

alert from 2.3.3 missing from 2.8.0.2:
Mar 31 12:24:19 lyta snort: [122:5:0] (portscan) TCP Filtered Portscan {PROTO255} 128.128.100.76 -> 71.39.148.246

The preprocessors active in my 2.8.0.2 and 2.3.3 versions are listed below. The flow-portscan preprocessor in the 2.8 version is omitted in the sample install file, since stream5 was supposed to replace it.
Can anyone tell me if they have installed 2.8 and if they are still getting all the portscan records. I find that the new version does not detect most portscans at this time-

Thanks for any help,
Fritz

================== ACTIVE PREPROCESSORS in 2.8.0.2 INSTALL==================
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
preprocessor ftp_telnet_protocol: telnet \
preprocessor ftp_telnet_protocol: ftp server default \
preprocessor ftp_telnet_protocol: ftp client default \
preprocessor smtp: \
preprocessor sfportscan: proto  { all } \
preprocessor dcerpc: \
preprocessor dns: \


================== ACTIVE PREPROCESSORS in 2.3.3 INSTALL==================
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
preprocessor sfportscan: proto { all } \


Leon wrote:

Hi.

You are using a snort.conf from an old version (2.3) of Snort, use the one that came with the 2.8 source and you should get on fine.
I guess that you installed an older version of snort from the apt repository.

You will want to remove the old versions and then use the snort.conf, and associated stuff from 2.8. You will find them under etc/ in the tarball.

-Leon



On 31 Mar 2008, at 14:33, jose wilter frazao wrote:

Hi,
I change parameter frag2 to frag3 in the /etc/snort/snot.conf, but is showing the next message:

Tagged Packet Limit: 256
/etc/snort/snort.conf(214) unknown dynamic preprocessor "frag3"
/etc/snort/snort.conf(360) unknown dynamic preprocessor "telnet_decode"
/etc/snort/snort.conf(500) unknown dynamic preprocessor "xlink2state"
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..


2008/3/29, Leon <seclists@rm-rf.co.uk <mailto:seclists@rm-rf.co.uk>>:

Hi 

    Looks like there are some problems with your snort.conf

    Mar 28 09:23:17 wilter-ubuntu snort[24673]:
    /etc/snort/snort.conf(214) unknown dynamic preprocessor "frag2"



    frag2 has been replaced with frag3, You shouldn't have it enabled
    on line 214 of your snort.conf

    As for the other errors, post your snort.conf with the full
    output of a snort -c /etc/snort/snort.conf -T and ill take a look.

-Leon


    On 28 Mar 2008, at 17:45, jose wilter frazao wrote:

Hello,
I do downloaded of snort from www.snort.com
<http://www.snort.com/> and compiled the Snort with support to
Mysql, and I installed in the Ubuntu 7.04.
When I insert the command "/usr/local/bin/snort -D -c
/etc/snort/snort.conf" for start the daemon of the Snort show
the massage in the "/var/log/syslog":



    Mar 28 09:23:17 wilter-ubuntu snort[24673]:
    /etc/snort/snort.conf(214) unknown dynamic preprocessor "frag2"
    Mar 28 09:23:17 wilter-ubuntu snort[24673]:
    /etc/snort/snort.conf(360) unknown dynamic preprocessor
    "telnet_decode"
    Mar 28 09:23:17 wilter-ubuntu snort[24673]:
    /etc/snort/snort.conf(500) unknown dynamic preprocessor
    "xlink2state"
    Mar 28 09:23:17 wilter-ubuntu snort[24673]: FATAL ERROR:
    Misconfigured dynamic preprocessor(s)



    What should I do to correct this problem?



    -------------------------------------------------------------------------
    Check out the new SourceForge.net Marketplace.
    It's the best place to buy or sell services for
    just about anything Open Source.
    
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________
    Snort-users mailing list
    Snort-users@lists.sourceforge.net
    <mailto:Snort-users@lists.sourceforge.net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users



<snort.conf><output-snort> 


------------------------------------------------------------------------

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort isn't starting at the Ubuntu:, Leon
Previous by Thread:  Re: [Snort-users] Snort isn't starting at the Ubuntu:, Leon
Next by Thread:  Re: [Snort-users] Snort isn't starting at the Ubuntu:, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]