Snort mailing list archives
Base not reporting "Portscan Traffic"
From: Mike Boeckeler <boeckelr () gmail com>
Date: Mon, 17 Oct 2011 02:11:07 -0400
Hi everyone, Last week I started a thread about not being able to get Snort/Base/Barnyard2 to work w/multiple sensors. Thanks to your help, I finally got it working and with the exception of 1 issue, its working well. The one problem is that "Portscan Traffic" in Base is stuck to zero. I have read thru the thread that was on here last summer - http://seclists.org/snort/2011/q3/144 - and have done what was recommended - to use barnyard2-1.9, and to modify my barnyard2.conf (in my case I have 2 barnyard2.conf files) with this: input unified2: input_mode in my case I set input_mode to log_unified2, but I tried the others as well. I also set up sfportscan in my 2 snort.conf files, and I pointed Base to it by modifying base_conf.php. I have the permissions correct - when I nmap my network, the portscan.log file grows....and I can actually see some of the info contained in it inside of Base - when I click on any ip address in Base, there is a "Portscan Events" button in the upper right - when I click on it, if that ip address was either the source or victim of a portscan, it displays the type of portscan (i.e. TCP filtered portscan etc)....and then some details: Priority Count: 0 Connection Count: 200 IP Count: 1 Scanner IP Range: 192.168.1.14:192.168.1.14 Port/Proto Count: 199 Port/Proto Range: 1:61900 So "Portscan Events" works fine in Base....but "Portscan Traffic" is stuck at zero. Does anyone have any ideas? Like I said, I have searched around for an answer to this....some people said that the way to fix it was to use mysql instead of barnyard2....but in the thread I linked to above, it sounds like this should work fine with barnyard2. Sorry for the inconsistent fonts - gmail is screwing up the formatting on this for some reason tonite. Thanks for your help. Mike
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Base not reporting "Portscan Traffic" Mike Boeckeler (Oct 16)
- Re: Base not reporting "Portscan Traffic" Mike Boeckeler (Oct 20)