managing portscan alerts

["Cloppert, Michael" <Michael.Cloppert () 53 com>]

I am in a high-traffic environment and I'm running into a... slight
irritation with SNORT/ACID.  From what I understand, using an "output
database: alert" will generate portscan alerts, and log all the gory details
to $logdir/portscan.log.  If I change this line to "output database: log", I
don't see alerts in ACID.  This is good.  Unfortunately, I've noticed I also
don't see the information in portscan.log.

What I want is this information to be stored in portscan.log, but alerts NOT
generated.  This way I don't get the "noise" of the portscan alerts in ACID,
but if I want to investigate a particular IP address more closely, I can
still get useful information out of the "portscan" link where ACID grabs
data from portscan.log.  Now, I know, I can always manually delete the
portscan alerts... but like I said, being in a high-traffic environment, I'd
like to avoid having this write/delete load on my database.  

Does anyone have the "database: log" running while still collecting the
portscan information in portscan.log?  Can I do this?  Any feedback would be
appreciated.

Thanks in advance,
Mike


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users