Snort mailing list archives
Re: Portscans in BASE
From: "Jaydip M. Dudhatra via Snort-users" <snort-users () lists snort org>
Date: Mon, 15 Jul 2019 14:57:52 +0000
Hi, You are right. People just can't use the abusive words here. Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Michael Steele <michaels () winsnort com> Date: 7/15/19 10:54 AM (GMT-05:00) To: 'Dorian ROSSE' <dorianbrice () hotmail fr> Cc: Snort-users () lists snort org Subject: Re: [Snort-users] Portscans in BASE If you don't know something like BASE then don't respond, period! Now to direct the real issue... What is the snort mailing list coming too. Maybe it's time to start banning some of these people that make remarks like this! How about it Joe, is it not time? WINSNORT.com Management Team Member -- ******************************************************** * Since 2002 ~~ Visit http://www.winsnort.com * ~~ FREE Windows installation Tutorials ~~ * ~~ FREE Support Forums ~~ * Snort: Open Source Network IDS - http://www.snort.org ******************************************************** From: Dorian ROSSE <dorianbrice () hotmail fr> Sent: Monday, July 15, 2019 10:20 AM To: Michael Steele <michaels () winsnort com> Cc: Snort-users () lists snort org Subject: Re: [Snort-users] Portscans in BASE I don't know BASE but if It is as snort read the fucking manual html snort lol Why do you keep to read a manual where nothing is explain? Read snort html manual ;) Télécharger Outlook pour Android<https://aka.ms/ghei36> ________________________________ From: Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>> Sent: Monday, July 15, 2019 4:06:52 PM To: 'Dorian ROSSE' Cc: Snort-users () lists snort org<mailto:Snort-users () lists snort org> Subject: RE: [Snort-users] Portscans in BASE This is all related to BASE. The master MySQL sensor is running BASE which is logging portscans to the portscan.log file using the below. # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } There are 6 slave sensors directing events to the above master sensor and all is working fine. However I have no idea where the portscans are being directed to from the slaves using the below. # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Do these portscan events get inserted into the database in some table that is not readable by base using the above configuration setting? If there was a possibility of sharing the log file on the master sensor there is no source ID for the logged portscan event. Maybe it is just not possible to process portscan events from remote sensors? WINSNORT.com Management Team Member -- ******************************************************** * Since 2002 ~~ Visit http://www.winsnort.com * ~~ FREE Windows installation Tutorials ~~ * ~~ FREE Support Forums ~~ * Snort: Open Source Network IDS - http://www.snort.org ******************************************************** From: Dorian ROSSE <dorianbrice () hotmail fr<mailto:dorianbrice () hotmail fr>> Sent: Monday, July 15, 2019 2:26 AM To: Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>> Subject: Re: [Snort-users] Portscans in BASE If you can't use porscan from readme have you try porscan example from manual snort html page about porscan? It could works, Télécharger Outlook pour Android<https://aka.ms/ghei36> ________________________________ From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>> Sent: Monday, July 15, 2019 3:22:01 AM To: Snort-users () lists snort org<mailto:Snort-users () lists snort org> Subject: [Snort-users] Portscans in BASE For the master sensor that BASE resides on the default portscan detection is configured: # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } For the slave sensors the default portscan detection is configured: # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Does anyone know where are the portscans are being directed to for the slaves, and is BASE able to see them?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Portscans in BASE Michael Steele (Jul 14)
- Message not available
- Re: Portscans in BASE Michael Steele (Jul 15)
- Re: Portscans in BASE Dorian ROSSE via Snort-users (Jul 15)
- Re: Portscans in BASE Joel Esler (jesler) via Snort-users (Jul 15)
- Re: Portscans in BASE Michael Steele (Jul 15)
- Re: Portscans in BASE Jaydip M. Dudhatra via Snort-users (Jul 15)
- Re: Portscans in BASE Dorian ROSSE via Snort-users (Jul 15)
- Re: Portscans in BASE Joel Esler (jesler) via Snort-users (Jul 15)
- Re: Portscans in BASE Michael Huntley via Snort-users (Jul 16)
- Re: Portscans in BASE Michael Steele (Jul 15)
- Message not available