Snort mailing list archives
Re: SNORT configuration: logging alerts without portscans
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 26 Oct 2001 09:50:19 -0700 (PDT)
On Fri, 26 Oct 2001 Thomas.Klockow () cert siemens de wrote:
I wonder if it is possible to log portscans and alerts to different files.
They already do. :)
So portscans should go only(!) to the file specified with the portscan keyword (preprocessor portscan: 192.168.1.0/24 5 7 /var/log/portscan.log) and alerts should go only to where ever you want, syslog for example (output alert_syslog: LOG_AUTH LOG_ALERT). In my standard configuration the portscans are logged in both files, what is not my intention.
Right, you want to see a version with everything in one place (in regards to portscans).
Any help?
Well, help I can't promise.... Think of it like this: You want an alert on _each_ event that triggers a rule, right? You need to know what ports, and such. Due to the way the portscan preprosessor works, it has to keep track of connections acccording to the info in the .conf file. spp_portscan sends back an alert into snort. Snort dumps it happily in the alert subsystem. Now, in your case, you don't consider that an alert. It's all in how you think of it. Since I like knowing if someone is slowscanning my nets, I make sure to have more than one source of data. :) If you only had the alerts, you would miss a lot of packet info. With the portscan log, you get the some other useful things. I think the point may be moot, though... IIRC, spp_portscan will either be reworked, or a new one written for a upcoming release. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT configuration: logging alerts without portscans Thomas . Klockow (Oct 26)
- Re: SNORT configuration: logging alerts without portscans Erek Adams (Oct 26)