Re: Base not reporting "Portscan Traffic"

[Mike Boeckeler <boeckelr () gmail com>]

Hi,

A few days ago I posted the message below to this group, and Elz and James
have helped me out tremendously.

I have another question here - what conditions in the VRT snort.conf need to
be satisfied in order for sfportscan to work?  Do I just need to make sure
stream5 is set up according to the README.sfportscan file, and make sure the
sfportscan line is uncommented, and has the options that I want included in
it?

Do I need to do anything else besides those 2 things?

And is there any reason that anyone can think of why snort will populate the
portscan.log file with portscan alerts, but wont log them - whether its
logging to console or to a unified2 logfile?

Thanks,
Mike

On Mon, Oct 17, 2011 at 2:11 AM, Mike Boeckeler <boeckelr () gmail com> wrote:

> Hi everyone,
>
> Last week I started a thread about not being able to get
> Snort/Base/Barnyard2 to work w/multiple sensors.  Thanks to your help, I
> finally got it working and with the exception of 1 issue, its working well.
>
> The one problem is that "Portscan Traffic" in Base is stuck to zero.  I
> have read thru the thread that was on here last summer -
> http://seclists.org/snort/2011/q3/144  - and have done what was
> recommended - to use barnyard2-1.9, and to modify my barnyard2.conf (in my
> case I have 2 barnyard2.conf files) with this:
>
> input unified2:  input_mode
>
> in my case I set input_mode to log_unified2, but I tried the others as
> well.
>
> I also set up sfportscan in my 2 snort.conf files, and I pointed Base to it
> by modifying base_conf.php.  I have the permissions correct - when I nmap my
> network, the portscan.log file grows....and I can actually see some of the
> info contained in it inside of Base - when I click on any ip address in
> Base, there is a "Portscan Events" button in the upper right - when I click
> on it, if that ip address was either the source or victim of a portscan, it
> displays the type of portscan (i.e. TCP filtered portscan etc)....and then
> some details:
>
> Priority Count: 0
> Connection Count: 200
> IP Count: 1
> Scanner IP Range: 192.168.1.14:192.168.1.14
> Port/Proto Count: 199
> Port/Proto Range: 1:61900
>
> So "Portscan Events" works fine in Base....but "Portscan Traffic" is stuck at zero.
>
> Does anyone have any ideas?  Like I said, I have searched around for an answer to this....some people said that the 
> way to fix it
> was to use mysql instead of barnyard2....but in the thread I linked to above, it sounds like this should work fine 
> with
> barnyard2.
>
> Sorry for the inconsistent fonts - gmail is screwing up the formatting on this for some reason tonite.
>
> Thanks for your help.
> Mike
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!