Short answer to my question : YES.
Recently I come across a module named sfportscan which it have a lot's of options such as memory to save packets and analysis theme with time out and number of connections.
To Enable sfportscan, you should
1- Add this to snort.cont usually in /etc/snort/ :
preprocessor sfportscan: proto { all } \
scan_type { all } \
sense_level { high } \
logfile { alert }
It will look for all protocols and all type of scans like SYN, Null , ... and log them in the log directory in the alert file (alert is an actual file name) which we've mentioned in option logfile. The space after and before brackets are important, snort parser issue an error without them.
2- Run snort -c "/etc/snort/snort.conf" -T
to make sure all config are Okey.
3- Run /etc/init.d/snort stop
and /etc/init.d/snort start
with some delay , to restart the Snort .
4- Open your alert file to see the alerts :
tail -f [Address to log Directory]/alert
5- Test if it create the log with NMAP, open another terminal in other machine and:
sudo nmap [Your Firewall or NIDS IP Address]
6- You should see somthing like this in tail file:
Time: 02/23-12:54:21.183932
event_ref: 0
[Source ip address] -> [Destination ip address] (portscan) TCP Portscan
Priority Count: 9
Connection Count: 10
IP Count: 1
Scanner IP Range: [Destination ip address]:[Destination ip address]
Port/Proto Count: 10
Port/Proto Range: 981:12174
My Note:
Snort is a great IDS and it used in many free and even commercial products but it has a poor documentation and examples and YouTube introductions, it would be great if its community have more involvement in Stackoverflow , questions.