I am in the process of configuring Snort in NIDS mode for our network and have had some success so far. I printed out the Snort manual and have been reading like a mad man. The one thing I cannot seem to find is how to modify the portscan alerts to include the source ip of the scan. We have had quite a few scans from the Internet in the last few days and I would really like to know their source. Here is the alert from /var/log/messages


Apr 22 11:13:35 raptor1 snort: Portscan detected from 192.168.10.10 Talker(fixed: 2 sliding: 30) Scanner(fixed: 0 sliding: 0)

Keep in mind 192.168.10.10 is the external interface of my Squid proxy (Connected to a DSL router)

There is a portscan.log file in /var/log/snort but it remains empty even as these alerts keep showing up. I must have something wrong with the flow_portscan rules or something. Can someone tell me how to make it output the source ip in the alert?

Wow this program is cool, I just wish I could absorb the manual through osmosis or something.

Can't remember, but where in the flow is your sensor located?

Snort lives on the Squid server with Home_NET set to 192.168.0.0/32 (LAN). and server_watchnet is also 192.168.0.0/32. I changed EXTERNAL_NET back to any from 192.168.10.0/32 as it seemed to detect more that way.

One of my main goals with Snort is to be able to detect suspicious activity coming from the machines that have direct access to the internet, including our two Squid proxies, 3 mail servers, etc. The idea being if one of them becomes rooted and the intruder attempts to probe the network from the machine, the others will detect it and alert on it.