Snort mailing list archives
RE: spp_portscan and database schema
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Fri, 19 Jul 2002 12:32:57 -0500
portscan2 -----Original Message----- From: Florin Andrei [mailto:florin () sgi com] Sent: Friday, July 19, 2002 12:05 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] spp_portscan and database schema On Thu, 2002-07-18 at 16:03, Erek Adams wrote:
On 18 Jul 2002, Florin Andrei wrote:I'm looking at portscan.log and i'd like to get that kind of
information
from the database without too many twists. Of course, if i'd run Snort in log mode, i think i'd have enough
data to
do that. But i'm running it in the alert mode, and log mode is not really an option (too much traffic). It would be nice if spp_portscan would suddenly switch to "log mode" once it detects a portscan, and revert back to alert. Or something
like
that, i'm not sure how to explain. To put it dumbly, "i want portscan.log in the database". :-)Covered in your Handy-Dandy FAQ pages! http://acidlab.sourceforge.net/acid_faq.html#faq_b7
Yes, that's precisely what i'd like to see done in a different way. That's why i wrote my first message. Not having ports (and other TCP info) in the database makes you do all kind of weird acrobatics to get meaningful info from the data. I mean, i think it's an architectural issue here. Pre-processors cannot pass data to the output plugin because they don't have to. I'm cool with that. At least, usual preprocs don't have to, because it doesn't make sense for them to do that (what would be the purpose to begin with?). But portscan is not like the others, the very nature of the event that triggers the portscan alerts is different. Passing TCP data, like ports, etc. suddenly makes sense here.
Now, _WHY_ do you have to do it that way? http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
If i understand this correctly, Marty basically says "turn on logging if you want that info in the database" (correct me if i'm wrong). I cannot do that, the traffic is way too high. I don't have multiple multi-terabyte RAID arrays available. :-)
Seriously, spp_portscan2 is being worked on in the 1.9dev branch.
That will
make quite a few changes to the way portscans are handled, so don't
expect
things to remain the same. :)
Great! What are the differences between v2 and v1? <dumb_mode> Are we going to get "portscan.log in the database" with v2? :-) </dumb_mode> -- Florin Andrei Don't break things that don't need to be broken while you're fixing things that really need fixing. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan and database schema Florin Andrei (Jul 18)
- Re: spp_portscan and database schema Erek Adams (Jul 18)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Erek Adams (Jul 19)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Erek Adams (Jul 18)
- <Possible follow-ups>
- RE: spp_portscan and database schema Kreimendahl, Chad J (Jul 19)