Snort mailing list archives
Re: ACID v0.9.6b24, spp_portscan2 and spp_portscan
From: "Richard Pesce" <RPesce () co amador ca us>
Date: Tue, 13 Jan 2004 12:11:33 -0800
This isn't going to fix the logging of the portscans, only the display of them in ACID... This may insult you, but when you declare your output method are you outputting alerts? i.e.: output database: alert, mysql, dbname=snortdb user=snort host=localhost password=mypassword sensor_name=UNTRUST detail=full encoding=hex or are you outputting logs? if it is logs then the portscan preprocessors will not output to the database! also. check the acid_conf.php and make sure the $portscan_file var is declared. i.e.: $portscan_file = "/var/log/snort/scan.log"; Remember: Acid can not natively access both spp_portscan and spp_portscan2 log files concurrently. However, I believe that spp_portscan2 log is not required by acid like the spp_portscan was, although it couldn't hurt.
Michael Scheidell <scheidell () secnap net> 01/13/04 11:55AM >>>
It may be that the wildcards are causing high database
utilization...
probaly the leading %. Can't get a handle on an index.
How many alerts do you have? (approx)
400K
Were you experiencing the problem that I entended to "fix"?
still only shows some very old 'syn scan portscans' I don't seem to long them still. -- Michael Scheidell SECNAP Network Security Corporation Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ACID v0.9.6b24, spp_portscan2 and spp_portscan Richard Pesce (Jan 13)
- <Possible follow-ups>
- Re: ACID v0.9.6b24, spp_portscan2 and spp_portscan Richard Pesce (Jan 13)
- Re: ACID v0.9.6b24, spp_portscan2 and spp_portscan Richard Pesce (Jan 13)