Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1328
Views
0
Helpful
0
Replies

Purpose of snort´s rules

aspekt23
Level 1
Level 1

‎04-21-2017 11:53 AM - edited ‎03-10-2019 06:49 AM

So for example, why i need scan.rules when there is something like sfportscan preprocessor ? Is it because preprocessor can not detect all the activities and so there is detecting engine using rules with well known signatures of network attacks trying to find match ? But there are also preproc rules, so i am bit confused now. So preprocessor use their own rules and then there are normal rules in case none of this preproc rules found the match ?

Recently i set up my sfportscan sucesfully, but i am bit confused why its generating alert with msg TCP Portscan  when there is not such a rule with this same msg in preprocessor.rules file.

The only rule in preprocessor.rule that look similiar is:

alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )

and then there is line in  gen-msg.map :


122 || 1 || portscan: TCP Portscan

So i am asking  what is responsible for generating this alert, is it preprocessor itself or is it rule which preprocessor  use?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card