Snort mailing list archives
Re: spp_portscan and mysql
From: "Mikael Chambon" <snort-ml () cronos org>
Date: Tue, 14 May 2002 00:05:40 +0200
Thanks for your responce Jeff, Effectively you were right about my conf file. But As I can read in README.databases, the syntaxe is: [log | alert] So there is no possibility to have log and alert logged in the databases in the same time ?? Thanks, -- Mikael Chambon || Paris France mikael (at) cronos.org mikael (at) nerim.net PGP key http://www.cronos.org/mikael/pgp/key.txt ----- Original Message ----- From: "Wirth, Jeff" <WirthJe () DNB com> To: "'Mikael Chambon'" <snort-ml () cronos org>; <snort-users () lists sourceforge net> Sent: Monday, May 13, 2002 4:13 PM Subject: RE: [Snort-users] spp_portscan and mysql
From: Mikael Chambon [mailto:snort-ml () cronos org]I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a Linux 2.4.18 Snort is correctly detecting portscan and writes correctly alert and portscan.log: May 12 19:44:37 207.71.92.221:15000 -> 192.168.X.X:5000 SYN ******S* May 12 19:44:36 207.71.92.221:10445 -> 192.168.X.X:445 SYN ******S* May 12 19:44:36 207.71.92.221:10143 -> 192.168.X.X:143 SYN ******S* May 12 19:44:36 207.71.92.221:10139 -> 192.168.X.X:139 SYN ******S* The problem is, nothing is write in the sql databases when it comes from spp_portscan...check your snort.conf file, I would guess you have something along the lines of: output database: log, mysql, <other options> ^^^ In order to see portscan data you need to modify the above to: output database: alert, mysql, <other options> ^^^^^As we can see there is nothing from spp_portscan (but spp_stream4 mysql logging is working)because spp_stream4 writes to the log facility and spp_portscan does
not...
I am not a SQL or snort guru and I used the "create_mysql" file (from snort contrib) to create sql tables. Is is normal ?? Did I miss something ? What can I do ?You can make the change above, but beware, the data will not appear in
your
database as it does in your portscan.log file. The format is something
like
(as it would appear in your alert file).... " spp_portscan: PORTSCAN DETECTED to port 80 from XXX.XXX.XXX.XXX " - Jeff
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan and mysql Mikael Chambon (May 12)
- <Possible follow-ups>
- RE: spp_portscan and mysql Wirth, Jeff (May 13)
- Re: spp_portscan and mysql Mikael Chambon (May 13)