Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Base not reporting "Portscan Traffic"

From: Mike Boeckeler <boeckelr () gmail com>
Date: Mon, 17 Oct 2011 02:11:07 -0400
Hi everyone,

Last week I started a thread about not being able to get
Snort/Base/Barnyard2 to work w/multiple sensors.  Thanks to your help, I
finally got it working and with the exception of 1 issue, its working well.

The one problem is that "Portscan Traffic" in Base is stuck to zero.  I have
read thru the thread that was on here last summer -
http://seclists.org/snort/2011/q3/144  - and have done what was recommended
- to use barnyard2-1.9, and to modify my barnyard2.conf (in my case I have 2
barnyard2.conf files) with this:

input unified2:  input_mode

in my case I set input_mode to log_unified2, but I tried the others as well.

I also set up sfportscan in my 2 snort.conf files, and I pointed Base to it
by modifying base_conf.php.  I have the permissions correct - when I nmap my
network, the portscan.log file grows....and I can actually see some of the
info contained in it inside of Base - when I click on any ip address in
Base, there is a "Portscan Events" button in the upper right - when I click
on it, if that ip address was either the source or victim of a portscan, it
displays the type of portscan (i.e. TCP filtered portscan etc)....and then
some details:

Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 192.168.1.14:192.168.1.14
Port/Proto Count: 199
Port/Proto Range: 1:61900

So "Portscan Events" works fine in Base....but "Portscan Traffic" is
stuck at zero.

Does anyone have any ideas?  Like I said, I have searched around for
an answer to this....some people said that the way to fix it
was to use mysql instead of barnyard2....but in the thread I linked to
above, it sounds like this should work fine with
barnyard2.

Sorry for the inconsistent fonts - gmail is screwing up the formatting
on this for some reason tonite.

Thanks for your help.
Mike

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: