![]() If you want to actually test Snort, then turn on the Emerging Threats Scan rules and then direct an nmap scan towards a host behind Snort. So my suggestion is to stop wasting time playing with the portscan detection. ![]() And to boot, the detection for it is very prone to false positives with the way today's network connectivity works with regards to all the various applications out there. The short version is that in my humble opinion the portscan stuff is way overrated. There are also some tuneable settings for the preprocessor that control its sensitivity. secondly, when i do a portscan with nmap from 172.16.1.X to 192.168.1.X it shows all host ports are closed on terminal but it doesn't display any snort alert for the LAN interfaceįrom my understanding, after showing all host port are closed on terminal it is suppose to display an intrusion alert for portscan on the LAN interface but that is not is the case and i don't know why ?ĭo you have the portscan preprocessor enabled in Snort? It is not enabled by default because it is quite prone to false positives in today's networks. Firstly when i do a port scan with nmap from 1992.168.1.X to 172.16.1.X it shows host seems down on terminal (given that the host is actually up) with no snort alert display for the WAN interfaceįrom my understanding, it is actually suppose to display an intrusion alert for portscan and i don,t know why it does not ?. ![]() I have install and configure pfsense + snort and setup the two interfaces shown above in other to detect port scan and dos attack and alert. ![]() I have setup something as below on virtualbox to understand how pfsense together with snort function to detect and alert intrusions ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |