Snort: Using a PreProcessor to detect a port scan

This task also uses a file of rules which have been put together to detect port scans.

From another host, port scan your host running snort using 2 different scan types:

nmap -sS and

nmap -sX and watch snort's response. (aside: -sS is a SYN scan and -sX is a XMAS scan)

a) Try this with no rules at all. See if snort detects the scan. Which of the 2 scans does it detect, if any? I'll like to understand the steps to achieve it. Grateful if i can have the list of steps to acheive this. I already have two kali with snort installed.

b) Then, try it with the portscan preprocessor enabled. You may need to change the section in snort.conf that specifies the sfportscan preprocessor to

# Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } scan_type { all } sense_level { medium } logfile { /var/log/snort/portscan }

Note you need to have include

classification.config

include reference.config

uncommented in snort.conf

**** I really need to understand the steps that can help me achieve it.

c) With scan.rules enabled, and with the sfportscan preprocessor enabled, from another host try nmap -sS -T sneaky -p 20-25 and see if the scan is detected. Note: This scan can take a while, as it involves an evasion attempt. Like to know what i need to do here.