Snort mailing list archives

Re: Portscans in BASE

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 15 Jul 2019 23:59:51 +0000

Why would Cisco teach you how to use a third party interface to Snort, that we have no support for?

This is a community mailing list.  You aren’t paying anyone on here to teach you how to use Snort or any of it’s 
associated programs.  

All of the questions you are asking, most likely, can be found by a Google search or by reading the manual.  

After you have exhausted doing those two, please feel free to ask complete questions here, tell us what you are trying 
to do. Tell us what you have already tried to do. Give us logs and output from your commands so we can see the errors 
you are stuck on. 

That is the most productive use of the time of the people on this list. Every email you send goes to 15,000+ people. 
The more emails you send, the more time of theirs you are wasting.  All complete questions to receive complete answers. 
 

Sent from my  iPhone

On Jul 15, 2019, at 15:28, Dorian ROSSE via Snort-users <snort-users () lists snort org> wrote:


Maybe if cisco can teach me how to use BASE? 

After I don't know why you keep stand on a manual whose don't teach how to set up porscan

Where I have false if the manual doesn't teach how to set up the program? 

I find interesting where people has always against me who search always the bad and only the bad

Maybe if you search for find the good? 

Have a nice evening from France🇫🇷🗼

I am as always in holiday (workout, IT and beach) 

Regards. 


Dorian Rosse. 

Télécharger Outlook pour Android

From: Jaydip M. Dudhatra <jdudhatra () tec-system com>
Sent: Monday, July 15, 2019 4:57:52 PM
To: Michael Steele; 'Dorian ROSSE'
Cc: Snort-users () lists snort org
Subject: Re: [Snort-users] Portscans in BASE
 
Hi,

You are right. People just can't use the abusive words here. 



Sent from my T-Mobile 4G LTE Device


-------- Original message --------
From: Michael Steele <michaels () winsnort com>
Date: 7/15/19 10:54 AM (GMT-05:00)
To: 'Dorian ROSSE' <dorianbrice () hotmail fr>
Cc: Snort-users () lists snort org
Subject: Re: [Snort-users] Portscans in BASE

If you don’t know something like BASE then don’t respond, period!
 
Now to direct the real issue…
 
What is the snort mailing list coming too. Maybe it’s time to start banning some of these people that make remarks 
like this!
 
How about it Joe, is it not time?
 
WINSNORT.com Management Team Member
--
********************************************************
*     Since 2002 ~~ Visit http://www.winsnort.com
*      ~~ FREE Windows installation Tutorials ~~
*              ~~ FREE Support Forums ~~
* Snort: Open Source Network IDS - http://www.snort.org
********************************************************
 
From: Dorian ROSSE <dorianbrice () hotmail fr> 
Sent: Monday, July 15, 2019 10:20 AM
To: Michael Steele <michaels () winsnort com>
Cc: Snort-users () lists snort org
Subject: Re: [Snort-users] Portscans in BASE
 
I don't know BASE but if It is as snort read the fucking manual html snort lol

Why do you keep to read a manual where nothing is explain?

Read snort html manual ;)

Télécharger Outlook pour Android
 
From: Michael Steele <michaels () winsnort com>
Sent: Monday, July 15, 2019 4:06:52 PM
To: 'Dorian ROSSE'
Cc: Snort-users () lists snort org
Subject: RE: [Snort-users] Portscans in BASE
 
This is all related to BASE.
 
The master MySQL sensor is running BASE which is logging portscans to the portscan.log file using the below.
 
# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log }
 
There are 6 slave sensors directing events to the above master sensor and all is working fine. However I have no idea 
where the portscans are being directed to from the slaves using the below.
 
# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
 
Do these portscan events get inserted into the database in some table that is not readable by base using the above 
configuration setting?
 
If there was a possibility of sharing the log file on the master sensor there is no source ID for the logged portscan 
event.
 
Maybe it is just not possible to process portscan events from remote sensors?
 
WINSNORT.com Management Team Member
--
********************************************************
*     Since 2002 ~~ Visit http://www.winsnort.com
*      ~~ FREE Windows installation Tutorials ~~
*              ~~ FREE Support Forums ~~
* Snort: Open Source Network IDS - http://www.snort.org
********************************************************
 
From: Dorian ROSSE <dorianbrice () hotmail fr> 
Sent: Monday, July 15, 2019 2:26 AM
To: Michael Steele <michaels () winsnort com>
Subject: Re: [Snort-users] Portscans in BASE
 
If you can't use porscan from readme have you try porscan example from manual snort html page about porscan?

It could works,

Télécharger Outlook pour Android
 
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Michael Steele <michaels () winsnort com>
Sent: Monday, July 15, 2019 3:22:01 AM
To: Snort-users () lists snort org
Subject: [Snort-users] Portscans in BASE
 
For the master sensor that BASE resides on the default portscan detection is configured:
 
# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log }
 
For the slave sensors the default portscan detection is configured:
 
# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
 
Does anyone know where are the portscans are being directed to for the slaves, and is BASE able to see them?
 
 
 
 
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

   To unsubscribe, send an email to:
   snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Portscans in BASE Michael Steele (Jul 14)
- Message not available
  - Re: Portscans in BASE Michael Steele (Jul 15)
    - Re: Portscans in BASE Dorian ROSSE via Snort-users (Jul 15)
    - Re: Portscans in BASE Joel Esler (jesler) via Snort-users (Jul 15)
    - Re: Portscans in BASE Michael Steele (Jul 15)
    - Re: Portscans in BASE Jaydip M. Dudhatra via Snort-users (Jul 15)
    - Re: Portscans in BASE Dorian ROSSE via Snort-users (Jul 15)
    - Re: Portscans in BASE Joel Esler (jesler) via Snort-users (Jul 15)
    - Re: Portscans in BASE Michael Huntley via Snort-users (Jul 16)