Snort mailing list archives
RE: Snort Enterprise Implementation
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Mon, 13 Jan 2003 09:23:32 -0500
Greg, Set the $portscan_file variable in acid_conf.php. From the Install Guide (http://www.cert.org/kb/acid/): [OPTIONAL for Snort portscan pre-processor support] o $portscan_file : full path to a Snort portscan log file However, this requires that the ACID system have access to the portscan.log file. this can be achieved near-realtime via cron jobs that collect those via SCP and append them to a master file on teh ACID station. As another option, you can change the action of Snort from 'alrt' to 'log'. This will force each portscan event to show as an alert along with all the rest, but beware, I've had major issues with how it sends the alert not allowing me to list by IP and have the portscans be listed properly. hth, John Hicks -----Original Message----- From: Greg Adams [mailto:adamsg () nih gov] Sent: Monday, January 13, 2003 8:07 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Enterprise Implementation I have setup an "Snort Enterprise Implementation". I used the documentation prepared by Steven J. Scoot. (http://www.superhac.com) I have set up the two linux servers, one acting as a server for ACID, apache, MySQL Database, and SnortCenter, the second linux box is setup as a Snort Sensor only. I have been seccessfuly in setup the two servers and see events being recorded for the fields TCP, UDP, ICMP of the Analysis Console for Intrusion Databases (ACID); however, the precent for Portscan Traffic remains at zero ACID. The snort sensor server show data being recorded to alert and scan.log file. Does anyone have any insite as to what I may have missed in the configuration to cause the Portscan Traffic to remain at zero. Greg Adams ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Enterprise Implementation Greg Adams (Jan 13)
- Re: Snort Enterprise Implementation Jens Krabbenhoeft (Jan 13)
- Re: Snort Enterprise Implementation Dustin Decker (Jan 13)
- <Possible follow-ups>
- Re: Snort Enterprise Implementation larc (Jan 13)
- RE: Snort Enterprise Implementation Hicks, John (Jan 13)