RE: ACID Reporting and Portscans

["Joe Giles" <jgiles () joeman1 com>]

Well, Now Im totaly confused. I am logging to the syslog AND to MySQL (For Acid), and in the syslog, Im getting:
Aug  6 13:21:23 wolfserver snort: spp_portscan: portscan status from <ip Address>: 1 connections across 1 hosts: 
TCP(1), UDP(0)  , but in Acid, Im not seeing that. The portscan.log file has these permissions:

-rw-rw-r--    1 root     root        67691 Aug  6 13:22 portscan.log

Any Ideas why its not showing up in Acid?

Thanks

Joe

> You may already be doing this, so don't take offense if you have!  When you
> see an alert for spp_portscan, and click on the IP address, you won't see
> portscan data.  You will only see the data for that alert - and since the
> portscan data isn't kept in the alert itself, it isn't shown here.  After
> clicking on the IP address for which a portscan alert was generated, you
> need to click on "Portscan Events" towards the top of the screen.  It's in
> the middle of a list like:
>
> all alerts with 68.15.1.134/32 as : source | destination |
> source/destination
> show: unique alerts   |   portscan events 
>                           ^^^^^^^^^^^^^^^
> Registry lookup (whois) in: ARIN | RIPE APNIC
> External: DNS | whois | SamSpade
>
> If you're already doing this and not getting data, you may want to check
> permissions on your portscan.log file to make sure your apache user (or
> equivalent) has read access.
>
> HTH,
>
> Mike
>
> > -----Original Message-----
> > From: Joe Giles [mailto:jgiles () joeman1 com]
> > Sent: Tuesday, August 06, 2002 12:08 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] ACID Reporting and Portscans
> >
> >
> > Probobly a simple setup issue, but I cant get any data from 
> > ACID's Portscan Traffic. I get data from my portscan 
> > preprocessor. I can generate a file 
> > /var/log/snort/portscan.log (Owned by root) and the file is 
> > working, and I have it set up in the acid_conf.php file, I 
> > have $portscan_file = "/var/log/snort/portscan.log"; set. 
> > But, Im not ever getting any port scan traffic. I can see 
> > different port scan information in the logs, but isnt it 
> > supposed to generate portscan spicific info?
> >
> > Thanks
> >
> > Joe Giles
> > jgiles () joeman1 com
> > AOL ID: mcigiles
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users


Joe Giles
jgiles () joeman1 com
AOL ID: mcigiles


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users