Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)

[beenph <beenph () gmail com>]

On Wed, Jul 27, 2011 at 8:50 AM, James Lay <jlay () slave-tothe-box net> wrote:
> Just confirmed.....with going direct to mysql from snort with no barnyard,
> I TOTALLY not only get a portscan entry, but also an "Open port: ****"
> entry:
>
> (portscan) TCP Portscan: 21:49157
> (portscan) Open Port: 53
>
>
> But now I see I even see yon "Portscan Traffic (< 1%) on the BASE
> mainscreen.  Nice sleuthing job Michael!  I'll be sticking with direct to
> db from snort until this is fixed.

There is many reasons why you shouldn't use directly database output from snort.
The main reason is  that any problems with the database would directly
hinder the ole detection process.
The second reason is that direct database output plugin will be
depricated in the future for the reason
mentionned above and other reasons.

Use the link on github i gave you and you should see your portscan
events being logged without an issue.

I am working on barnayrd2 with firnsy, the only reason this has not
made its way into 1.10 is because
there will be other changes that will be made when in the near future.

But it is perfectly stable and reliable, your call.



Thanks.
-elz

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation