Snort mailing list archives
RE: ACID Reporting and Portscans
From: "Joe Giles" <jgiles () joeman1 com>
Date: 6 Aug 2002 19:24:05 -0000
Well, Now Im totaly confused. I am logging to the syslog AND to MySQL (For Acid), and in the syslog, Im getting: Aug 6 13:21:23 wolfserver snort: spp_portscan: portscan status from <ip Address>: 1 connections across 1 hosts: TCP(1), UDP(0) , but in Acid, Im not seeing that. The portscan.log file has these permissions: -rw-rw-r-- 1 root root 67691 Aug 6 13:22 portscan.log Any Ideas why its not showing up in Acid? Thanks Joe
You may already be doing this, so don't take offense if you have! When you see an alert for spp_portscan, and click on the IP address, you won't see portscan data. You will only see the data for that alert - and since the portscan data isn't kept in the alert itself, it isn't shown here. After clicking on the IP address for which a portscan alert was generated, you need to click on "Portscan Events" towards the top of the screen. It's in the middle of a list like: all alerts with 68.15.1.134/32 as : source | destination | source/destination show: unique alerts | portscan events ^^^^^^^^^^^^^^^ Registry lookup (whois) in: ARIN | RIPE APNIC External: DNS | whois | SamSpade If you're already doing this and not getting data, you may want to check permissions on your portscan.log file to make sure your apache user (or equivalent) has read access. HTH, Mike-----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Tuesday, August 06, 2002 12:08 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ACID Reporting and Portscans Probobly a simple setup issue, but I cant get any data from ACID's Portscan Traffic. I get data from my portscan preprocessor. I can generate a file /var/log/snort/portscan.log (Owned by root) and the file is working, and I have it set up in the acid_conf.php file, I have $portscan_file = "/var/log/snort/portscan.log"; set. But, Im not ever getting any port scan traffic. I can see different port scan information in the logs, but isnt it supposed to generate portscan spicific info? Thanks Joe Giles jgiles () joeman1 com AOL ID: mcigiles ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Joe Giles jgiles () joeman1 com AOL ID: mcigiles ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID Reporting and Portscans Joe Giles (Aug 06)
- <Possible follow-ups>
- RE: ACID Reporting and Portscans Cloppert, Michael (Aug 06)
- RE: ACID Reporting and Portscans Joe Giles (Aug 06)