Re: sfportscan output to log / Barnyard2 processing

[Jason Brvenik <jbrvenik () sourcefire com>]

Portscans cal already be logged to unified2. The problem is that it is
n overload of IPPROTO for lack of another option and the tools BY2
combined with the antiquated DB schema are unable to accommodate them.
I believe the BY2 folks are working on an update but until then there
really isn't a clean solution.



On Jun 3, 2012, at 2:43 PM, Brad Turnbough <brad.turnbough () gmail com> wrote:

> {{Disclosure -- I know this isn't 100% Snort related, but I don't have any other resource to turn to.}}
>
>
> Hi All,
>
> I have snort logging portscans to /var/log/snort/portscan.log.  I've verified that scans are getting logged.
>
> What I need to do is to get that information (I think) converted to unified2 and read into the MySQL database using 
> Barnyard2.
>
> Other test events are logged to unified2 log files successfully (and barnyard2 picks them up and logs them to MySQL), 
> I just think that the sfportscan module needs to be told to log to unified2 as well.
>
>
> Can someone please assist me in getting that accomplished?
>
> Snort Version 2.9.2.3
> Barnyard2 Version 2.1.9
>
>
> Example of /var/log/snort/portscan.log:
>
> Time: 06/03-13:07:23.605810
> event_ref: 0
> MACADDRESS_SUBSTITUTED -> ff02::c (portscan) UDP Filtered Portsweep
> Priority Count: 0
> Connection Count: 30
> IP Count: 5
> Scanned IP Range: MACADDRESS_SUBSTITUTED
> Port/Proto Count: 5
> Port/Proto Range: 547:1900
>
> snort.conf:
> preprocessor sfportscan: proto  { all } memcap { 10000000 } scan_type { all } sense_level { medium } logfile { 
> /var/log/snort/portscan.log }
>
> barnyard2.conf:
> output database: alert, mysql, user=snort dbname=snorby password=PASSWORD_SUBSTITUTED host=localhost
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!