Snort mailing list archives

Re: No portscan alerts shown in acid.

From: "John Creegan" <jcreegan () questarweb com>
Date: Fri, 17 Oct 2003 08:52:17 -0500

Maybe change your output database from log to alert?  If I remember
right, that's what I had to do...

And of course, we always have to remember to restart snort after making
configuration changes :-)

"Peters, Michael D." <Michael.Peters () acbl net> 10/17/03 08:20AM

I have made the following changes to the snort.conf file in an attempt
to
show portscan information in acid. I just don't see anything shown on
the
acid_main.php page. I do see the information being logged but nothing
is
being shown as a "Latest Greatest Alert".

# Snort preprocessors
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats
preprocessor stream4_reassemble: both
preprocessor http_decode: 80 8080 18080 443 1812 3852 12345 unicode
iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan: $FWO_NET 5 3
/var/snort/portscan/fwo/fwo-portscan.log
preprocessor portscan-ignorehosts:  68.16.185.133/32 68.16.185.134/32
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
#preprocessor portscan2: scanners_max 256, targets_max 1024,
target_limit 5,
port_limit 20, timeout 60
#preprocessor portscan2-ignorehosts: 172.16.0.0/12
# preprocessor perfmonitor: console flow events time 10
# output log_tcpdump: tcpdump.log
output database: log, mysql, user=name password=password dbname=snort
host=localhost sensor_name=FWO

I have looked in the mailing archives. Can anyone assist me in finding
out
what I am doing wrong?

Best regards,

Michael D. Peters 



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No portscan alerts shown in acid. Peters, Michael D. (Oct 17)
- <Possible follow-ups>
- Re: No portscan alerts shown in acid. John Creegan (Oct 18)