Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portscans not displayed in ACID?

From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Wed, 21 Jan 2004 08:47:00 -0500
Could someone please advise me on what it takes to get portscan traffic to
show up in the ACID front page bar graph?

I have portscan data showing up in the current alert data just not in the
opening page bar graph.

For example:
snort] spp\_portscan: PORTSCAN DETECTED from 68.15.238.162 (THRESHOLD 5
connections exceeded in 0 seconds)
  
These are the configuration parameters in the snort.conf file:

preprocessor flow: stats_interval 300 hash 1
preprocessor portscan: 68.16.185.128/27 5 6
/var/snort/portscan/snort.portscan

preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble

preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [68.16.185.128/27] \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [172.16.0.0/16] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on

output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=username password=password
dbname=snort=localhost sensor_name=HOME

I get /var/snort/portscan/snort.portscan logging just fine. It seems that I
just have some configuration issue causing this.

Any assistance would be appreciated.

Best regards,

Michael D. Peters 



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: