Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ACID v0.9.6b24, spp_portscan2 and spp_portscan

From: "Richard Pesce" <RPesce () co amador ca us>
Date: Tue, 13 Jan 2004 12:11:33 -0800
This isn't going to fix the logging of the portscans, only the display
of them in ACID...

This may insult you, but when you declare your output method are you
outputting alerts?
i.e.:
output database: alert, mysql, dbname=snortdb user=snort host=localhost
password=mypassword sensor_name=UNTRUST detail=full encoding=hex
or are you outputting logs? if it is logs then the portscan
preprocessors will not output to the database!


also.
check the acid_conf.php and make sure the $portscan_file var is
declared.
i.e.:
$portscan_file = "/var/log/snort/scan.log";

Remember: Acid can not natively access both spp_portscan and
spp_portscan2 log files concurrently.
However, I believe that spp_portscan2 log is not required by acid like
the spp_portscan was, although it couldn't hurt.





Michael Scheidell <scheidell () secnap net> 01/13/04 11:55AM >>>



It may be that the wildcards are causing high database

utilization...



probaly the leading %.  Can't get a handle on an index.


How many alerts do you have? (approx)

400K

Were you experiencing the problem that I entended to "fix"?


still only shows some very old 'syn scan portscans'

I don't seem to long them still.
-- 
Michael Scheidell
SECNAP Network Security Corporation
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net 
Looking for a career in Internet security?
http://www.secnap.net/employment/


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: