Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Tcpdump, alerts and portscans

From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Sun, 24 Jun 2001 22:39:40 -0400
Maybe I have been looking at this too long and I am not seeing the obvious.
Or, maybe I made an assumption about tcpdump.

I am replaying tcpdump files with snort and putting the info into ACID.  I
am not seeing any portscans in ACID after the replay.  Is this normal?  Is
it just a configuration setting I have overlooked?  I thought tcpdump held
all the packet info and snort could replay it and identify portscans.
Wrong?

On the box that is replaying the tcpdump files, I have the following:

output database: log, mysql, dbname=snort_log user=snort host=localhost
password=abc123
output database: alert, mysql, dbname=snort_log user=snort host=localhost
password=abc123

What am I missing?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: