RE: snort "portscan.log" file empty?

["Matt Harrell" <mhar () plexus-online com>]

My alert.log file is actually even less used than portscan.log.  My
alert.log file hasn't been updated since April 17th.  We actually don't
see a lot of activity, normally.  Occasional port scans (mostly on
weekends) are about it.  I'm assuming these two logs don't get much
activity because they don't log specifically for the default.ida (Code
Red) stuff?  Thanks for the help.
 
Matt Harrell
Plexus Systems
mhar () plex-sys com

        -----Original Message----- 
        From: Jason A. Haynes 
        Sent: Tue 8/14/2001 6:22 PM 
        To: Matt Harrell 
        Cc: snort-users () lists sourceforge net 
        Subject: Re: [Snort-users] snort "portscan.log" file empty?
        
        


        portscan.log logs port scans.  alert.log logs, well, alerts.
You should
        have both perl clients, one for each logfile format.  If you're
missing
        it, the alert one is here:
        http://www.dshield.org/clients/dshield_snort.pl
        
        BTW, thanks for the link; I'll start sending them my home logs
as soon as
        I script up a sort of whitelist for my job & other IPs I test
from.
        
        Jason
        On Tue, 14 Aug 2001, Matt Harrell wrote:
        
        > I'm a relatively new user of Snort.  I'm running Snort version
1.8p1-0
        > (RPM) on Red Hat Linux 7.1.  I've noticed that the
        > /var/log/snort/portscan.log file rarely gets stuff logged to
it, even
        > though I see a lot of activity logged by Snort in the "auth"
log (and
        > "syslog") and for individual IP numbers in /var/log/snort for
Code Red.
        > Shouldn't more be getting logged in portscan.log?
        > 
        > The main reason I'm asking is that I recently became a member
of DShield
        > (http://www.dshield.org), and I'm tyring to send in my Snort
        > portscan.log file every day for the project using the Perl
script I got
        > from the DShield web site for Snort (specifically for
portscan.log).  It
        > seems only partially useful if many attacks that Snort detects
are not
        > logged to portscan.log.
        > 
        > Thank you.
        > 
        > Matt Harrell
        > Plexus Systems
        > mhar () plex-sys com
        >
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÒžŠíþë®ÉšŠX§‚X¬µ)è®ßî±êìþX¬¶Ïì¢êÜyú+
ïçzѨ¶‹aŠÅ.Ú…©àz뮊mŠ‰ì¢»§²æìr¸›{øm¶ŸÿþX¬¶Ïì¢êÜyú+ïçzßåŠËlþX¬¶)ߣû'
¢»ÿºÇ«±)è®ßî±êì–+-j·!Š÷ÿ†ÛiÿÿðÃàz‡+k ^¯÷(›úÞv*ÿ±ÿ醝ÿ–+-®ßî±êì
        >