Re: prob w/ database output configuration & ACID

[Erek Adams <erek () snort org>]

On Fri, 28 Mar 2003, Rob Burris wrote:

> Running in "log" mode will send output from both log and alert rules.
> Everything will be categorized under TCP, UDP, and ICMP profiles (even
> portscans) and nothing will show up under the Portscans Traffic profile. At
> least, that's the way it seems to work w/ my configuration. All logged
> portscans go under the TCP profile.

That's right, but that's not what you asked...  :)

> In the acid_config.php file there is a variable $portscan_file which is set
> to the path, I assume, of the portscan.log file, which contains that IP
> source and destination address of scans, but no packet info. Where does this
> come into the big picture w/ ACID (and portscans)? There didn't seem to be
> much info on this in the README file other than it was optional.

What isn't obvious:  The portscan and portscan2 preprocessors do not
_have_ the entire packet to write to the DB.  They only have a limited
amount of info:  src ip, src port, dst ip, dst port, and flags.  It never
stores the data of the payload--That's why you can't ever have the payload
(full packet) info into the database from the portscan/portscan2
preprocessors.

> Thanks for the previous reply!

No problem.  Glad to have shed some light on it for you.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users