Snort mailing list archives
Re: Portscans in BASE
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 15 Jul 2019 23:59:51 +0000
Why would Cisco teach you how to use a third party interface to Snort, that we have no support for? This is a community mailing list. You aren’t paying anyone on here to teach you how to use Snort or any of it’s associated programs. All of the questions you are asking, most likely, can be found by a Google search or by reading the manual. After you have exhausted doing those two, please feel free to ask complete questions here, tell us what you are trying to do. Tell us what you have already tried to do. Give us logs and output from your commands so we can see the errors you are stuck on. That is the most productive use of the time of the people on this list. Every email you send goes to 15,000+ people. The more emails you send, the more time of theirs you are wasting. All complete questions to receive complete answers. Sent from my iPhone
On Jul 15, 2019, at 15:28, Dorian ROSSE via Snort-users <snort-users () lists snort org> wrote: Maybe if cisco can teach me how to use BASE? After I don't know why you keep stand on a manual whose don't teach how to set up porscan Where I have false if the manual doesn't teach how to set up the program? I find interesting where people has always against me who search always the bad and only the bad Maybe if you search for find the good? Have a nice evening from France🇫🇷🗼 I am as always in holiday (workout, IT and beach) Regards. Dorian Rosse. Télécharger Outlook pour Android From: Jaydip M. Dudhatra <jdudhatra () tec-system com> Sent: Monday, July 15, 2019 4:57:52 PM To: Michael Steele; 'Dorian ROSSE' Cc: Snort-users () lists snort org Subject: Re: [Snort-users] Portscans in BASE Hi, You are right. People just can't use the abusive words here. Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Michael Steele <michaels () winsnort com> Date: 7/15/19 10:54 AM (GMT-05:00) To: 'Dorian ROSSE' <dorianbrice () hotmail fr> Cc: Snort-users () lists snort org Subject: Re: [Snort-users] Portscans in BASE If you don’t know something like BASE then don’t respond, period! Now to direct the real issue… What is the snort mailing list coming too. Maybe it’s time to start banning some of these people that make remarks like this! How about it Joe, is it not time? WINSNORT.com Management Team Member -- ******************************************************** * Since 2002 ~~ Visit http://www.winsnort.com * ~~ FREE Windows installation Tutorials ~~ * ~~ FREE Support Forums ~~ * Snort: Open Source Network IDS - http://www.snort.org ******************************************************** From: Dorian ROSSE <dorianbrice () hotmail fr> Sent: Monday, July 15, 2019 10:20 AM To: Michael Steele <michaels () winsnort com> Cc: Snort-users () lists snort org Subject: Re: [Snort-users] Portscans in BASE I don't know BASE but if It is as snort read the fucking manual html snort lol Why do you keep to read a manual where nothing is explain? Read snort html manual ;) Télécharger Outlook pour Android From: Michael Steele <michaels () winsnort com> Sent: Monday, July 15, 2019 4:06:52 PM To: 'Dorian ROSSE' Cc: Snort-users () lists snort org Subject: RE: [Snort-users] Portscans in BASE This is all related to BASE. The master MySQL sensor is running BASE which is logging portscans to the portscan.log file using the below. # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } There are 6 slave sensors directing events to the above master sensor and all is working fine. However I have no idea where the portscans are being directed to from the slaves using the below. # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Do these portscan events get inserted into the database in some table that is not readable by base using the above configuration setting? If there was a possibility of sharing the log file on the master sensor there is no source ID for the logged portscan event. Maybe it is just not possible to process portscan events from remote sensors? WINSNORT.com Management Team Member -- ******************************************************** * Since 2002 ~~ Visit http://www.winsnort.com * ~~ FREE Windows installation Tutorials ~~ * ~~ FREE Support Forums ~~ * Snort: Open Source Network IDS - http://www.snort.org ******************************************************** From: Dorian ROSSE <dorianbrice () hotmail fr> Sent: Monday, July 15, 2019 2:26 AM To: Michael Steele <michaels () winsnort com> Subject: Re: [Snort-users] Portscans in BASE If you can't use porscan from readme have you try porscan example from manual snort html page about porscan? It could works, Télécharger Outlook pour Android From: Snort-users <snort-users-bounces () lists snort org> on behalf of Michael Steele <michaels () winsnort com> Sent: Monday, July 15, 2019 3:22:01 AM To: Snort-users () lists snort org Subject: [Snort-users] Portscans in BASE For the master sensor that BASE resides on the default portscan detection is configured: # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } For the slave sensors the default portscan detection is configured: # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Does anyone know where are the portscans are being directed to for the slaves, and is BASE able to see them? _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Portscans in BASE Michael Steele (Jul 14)
- Message not available
- Re: Portscans in BASE Michael Steele (Jul 15)
- Re: Portscans in BASE Dorian ROSSE via Snort-users (Jul 15)
- Re: Portscans in BASE Joel Esler (jesler) via Snort-users (Jul 15)
- Re: Portscans in BASE Michael Steele (Jul 15)
- Re: Portscans in BASE Jaydip M. Dudhatra via Snort-users (Jul 15)
- Re: Portscans in BASE Dorian ROSSE via Snort-users (Jul 15)
- Re: Portscans in BASE Joel Esler (jesler) via Snort-users (Jul 15)
- Re: Portscans in BASE Michael Huntley via Snort-users (Jul 16)
- Re: Portscans in BASE Michael Steele (Jul 15)
- Message not available