Menu
▾
▴
[Snort-inline-users] portscan preprocessors and drop mode
|
From: Matt L. <ml...@em...> - 2003-11-11 01:04:11
|
Greetings everyone; Is anyone willing to share a clear understanding of how the portscan preprocessor works under snort-inline? I've done some testing and my gateway doesn't seem to be blocking any portscan traffic. I have two snort gateways in bridge mode, set up as follows: Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet When doing a portscan from the Laptop to a machine on the internet, I should see traffic logged in the portscan log on gateway1 and very little on gateway2, if 1 is blocking correctly. However, they both register all portscan traffic. The rule being used (on both) is: preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan preprocessor portscan-ignorehosts: x.x.x.x (sanitized) Has portscan preprocessor not been patched to support drop mode yet? +--------------------------------------------------- | Regards; | Matt Linton | UNIX Systems Administrator | ASANI Solutions, LLC. +--------------------------------------------------- On Fri, 7 Nov 2003, Rob McMillen wrote: > The reason it fails is because the function calls between Libnet 1.1 and > 1.0.2 changed a great deal. Since Flexresp depends on Libnet 1.0.2, I > used it for snort-inline to avoid requiring two different versions of > Libnet. > > Rob > > On Fri, 7 Nov 2003, Stephan Scholz wrote: > > > Hi Josh, > > > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched > > back to Libnet 1.0.2. > > > > Stephan > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > ------------ Output from pgp ------------ > Pretty Good Privacy(tm) Version 6.5.2 > (c) 1999 Network Associates Inc. > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > Export of this software may be restricted by the U.S. government. > File is signed. signature not checked. > Signature made 2003/11/08 02:46 GMT > key does not meet validity threshold. > WARNING: Because this public key is not certified with a trusted > signature, it is not known with high confidence that this public key > actually belongs to: "(KeyID: 0xBD28B8DD)". > > |
