Re: prob w/ database output configuration & ACID

["Rob Burris" <robeb () keepthevibe com>]

*This message was transferred with a trial version of CommuniGate(tm) Pro*
Running in "log" mode will send output from both log and alert rules.
Everything will be categorized under TCP, UDP, and ICMP profiles (even
portscans) and nothing will show up under the Portscans Traffic profile. At
least, that's the way it seems to work w/ my configuration. All logged
portscans go under the TCP profile.

In the acid_config.php file there is a variable $portscan_file which is set
to the path, I assume, of the portscan.log file, which contains that IP
source and destination address of scans, but no packet info. Where does this
come into the big picture w/ ACID (and portscans)? There didn't seem to be
much info on this in the README file other than it was optional.

Thanks for the previous reply!

- Rob B.


----- Original Message -----
From: "Erek Adams" <erek () snort org>
To: "Rob Burris" <robeb () keepthevibe com>
Cc: <snort-users () lists sourceforge net>
Sent: Thursday, March 27, 2003 8:45 PM
Subject: Re: [Snort-users] prob w/ database output configuration & ACID


> *This message was transferred with a trial version of CommuniGate(tm) Pro*
> On Thu, 27 Mar 2003, Rob Burris wrote:
>
> > I am having a problem with the way ACID logs the output from snort. When
> > I use the "log" argument in the output database configuration ACID only
> > logs packets and not portscans. However, when I use the "alert" argument
> > ACID only logs portscans and not packets. Is there a way to log both
> > packets logs and portscans? I am using snort 1.9 w/ ACID 0.9 and MySQL
> > 3.23 in a Linux environment.
>
> http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
>
> That covers the basics of log vs. alerts.
>
> What it doesn't cover is that the portscan or portscan2 preprocessor
> doesn't include packets in it's info at all.  So the answer to your
> question:  Nope.  You can't have both.  :-/
>
> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users