Snort mailing list archives
RE: Tcpdump, alerts and portscans
From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 25 Jun 2001 17:50:05 -0400
Actually that is what I want to do. I am the middle of writing a paper on configuring multiple sensors with a central console box. The sensors are logging in tcpdump format and the master console pulls that info from the sensors and replays it through snort. The master console is running ACID and all the sensor data is stored in the db. This removes any extra load on the sensors and the master console is dedicated to crunching data. I have successfully done the replay but the portscan info isn't showing up. It isn't that important to me, but I know I will get questions. So, I am looking for an alternative way of getting portscan info into ACID. I don't like the other methods of consolidating sensor data. I think tcpdump is the way to go, the portscan stuff is a detail. I can't believe I am the first to have this problem. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Erik Fichtner [mailto:emf () servervault com] Sent: Monday, June 25, 2001 5:21 PM To: Jason Lewis Cc: snort-users () lists sourceforge net; 'Phil Wood' Subject: Re: [Snort-users] Tcpdump, alerts and portscans -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:
Hmmmm....... Well how about something that does analysis on the tcpdump file to detect portscans? Maybe even something to correlate data once it
is
in ACID?
Uh.. I don't think you want to do that. You'd have to basically capture all your network traffic and stash it in the db and then have tools grovelling over it... you'd never catch up.. (Hmm. sounds like WebTr***s...) - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N6seQ7EzrewLMS0RAlXGAKDNYYIUSB3jcwE+35afId/GsKHBAACfQHUI 6zH4iQ9Pv/JVJEWjNFCpCKw= =T0Bz -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tcpdump, alerts and portscans Jason Lewis (Jun 24)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Martin Roesch (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Snort Install Doc Jason Lewis (Jun 25)
- RE: Snort Install Doc Stefan Dens (Jun 27)
- RE: Snort Install Doc Jason Lewis (Jun 27)