Snort mailing list archives
Re: prob w/ database output configuration & ACID
From: Erek Adams <erek () snort org>
Date: Fri, 28 Mar 2003 14:48:21 -0500 (EST)
On Fri, 28 Mar 2003, Rob Burris wrote:
Running in "log" mode will send output from both log and alert rules. Everything will be categorized under TCP, UDP, and ICMP profiles (even portscans) and nothing will show up under the Portscans Traffic profile. At least, that's the way it seems to work w/ my configuration. All logged portscans go under the TCP profile.
That's right, but that's not what you asked... :)
In the acid_config.php file there is a variable $portscan_file which is set to the path, I assume, of the portscan.log file, which contains that IP source and destination address of scans, but no packet info. Where does this come into the big picture w/ ACID (and portscans)? There didn't seem to be much info on this in the README file other than it was optional.
What isn't obvious: The portscan and portscan2 preprocessors do not _have_ the entire packet to write to the DB. They only have a limited amount of info: src ip, src port, dst ip, dst port, and flags. It never stores the data of the payload--That's why you can't ever have the payload (full packet) info into the database from the portscan/portscan2 preprocessors.
Thanks for the previous reply!
No problem. Glad to have shed some light on it for you. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- prob w/ database output configuration & ACID Rob Burris (Mar 27)
- Re: prob w/ database output configuration & ACID Erek Adams (Mar 27)
- Re: prob w/ database output configuration & ACID Rob Burris (Mar 28)
- Re: prob w/ database output configuration & ACID Erek Adams (Mar 28)
- Re: prob w/ database output configuration & ACID Rob Burris (Mar 28)
- Re: prob w/ database output configuration & ACID Erek Adams (Mar 28)
- Re: prob w/ database output configuration & ACID Rob Burris (Mar 28)
- Re: prob w/ database output configuration & ACID Erek Adams (Mar 27)