Re: spp_portscan and mysql

["Mikael Chambon" <snort-ml () cronos org>]

Thanks for your responce Jeff,


Effectively you were right about my conf file.
But As I can read in README.databases, the syntaxe is:

[log | alert]

So there is no possibility to have log and alert logged in the databases in
the same
time ??

Thanks,


--
Mikael Chambon || Paris France
mikael (at) cronos.org
mikael (at) nerim.net
PGP key http://www.cronos.org/mikael/pgp/key.txt
----- Original Message -----
From: "Wirth, Jeff" <WirthJe () DNB com>
To: "'Mikael Chambon'" <snort-ml () cronos org>;
<snort-users () lists sourceforge net>
Sent: Monday, May 13, 2002 4:13 PM
Subject: RE: [Snort-users] spp_portscan and mysql


> From: Mikael Chambon [mailto:snort-ml () cronos org]
> > I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a
> > Linux 2.4.18
> > Snort is correctly detecting portscan and writes correctly alert and
> > portscan.log:
> >
> > May 12 19:44:37 207.71.92.221:15000 -> 192.168.X.X:5000 SYN ******S*
> > May 12 19:44:36 207.71.92.221:10445 -> 192.168.X.X:445 SYN ******S*
> > May 12 19:44:36 207.71.92.221:10143 -> 192.168.X.X:143 SYN ******S*
> > May 12 19:44:36 207.71.92.221:10139 -> 192.168.X.X:139 SYN ******S*
> >
> > The problem is, nothing is write in the sql databases when it
> > comes from
> > spp_portscan
>
> ...check your snort.conf file, I would guess you have something along the
> lines of:
>
> output database: log, mysql, <other options>
>      ^^^
> In order to see portscan data you need to modify the above to:
>
> output database: alert, mysql, <other options>
>                        ^^^^^
> > As we can see there is nothing from spp_portscan (but
> > spp_stream4 mysql
> > logging is working)
>
> because spp_stream4 writes to the log facility and spp_portscan does
not...
> > I am not a SQL or snort guru and I used the "create_mysql"
> > file  (from snort
> > contrib) to create sql tables.
> >
> > Is is normal ?? Did I miss something ? What can I do ?
>
> You can make the change above, but beware, the data will not appear in
your
> database as it does in your portscan.log file.  The format is something
like
> (as it would appear in your alert file)....
>
> " spp_portscan: PORTSCAN DETECTED to port 80 from XXX.XXX.XXX.XXX "
>
> - Jeff


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users