Snort mailing list archives
sfportscan output to log / Barnyard2 processing
From: Brad Turnbough <brad.turnbough () gmail com>
Date: Sun, 3 Jun 2012 13:40:14 -0500
{{Disclosure -- I know this isn't 100% Snort related, but I don't have any other resource to turn to.}} Hi All, I have snort logging portscans to /var/log/snort/portscan.log. I've verified that scans are getting logged. What I need to do is to get that information (I think) converted to unified2 and read into the MySQL database using Barnyard2. Other test events are logged to unified2 log files successfully (and barnyard2 picks them up and logs them to MySQL), I just think that the sfportscan module needs to be told to log to unified2 as well. Can someone please assist me in getting that accomplished? Snort Version 2.9.2.3 Barnyard2 Version 2.1.9 Example of /var/log/snort/portscan.log: Time: 06/03-13:07:23.605810 event_ref: 0 MACADDRESS_SUBSTITUTED -> ff02::c (portscan) UDP Filtered Portsweep Priority Count: 0 Connection Count: 30 IP Count: 5 Scanned IP Range: MACADDRESS_SUBSTITUTED Port/Proto Count: 5 Port/Proto Range: 547:1900 snort.conf: preprocessor sfportscan: proto { all } memcap { 10000000 } scan_type { all } sense_level { medium } logfile { /var/log/snort/portscan.log } barnyard2.conf: output database: alert, mysql, user=snort dbname=snorby password=PASSWORD_SUBSTITUTED host=localhost
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sfportscan output to log / Barnyard2 processing Brad Turnbough (Jun 03)
- Re: sfportscan output to log / Barnyard2 processing Jason Brvenik (Jun 03)