Re: SNORT configuration: logging alerts without portscans

[Erek Adams <erek () theadamsfamily net>]

On Fri, 26 Oct 2001 Thomas.Klockow () cert siemens de wrote:

> I wonder if it is possible to log portscans and alerts to different files.

They already do.  :)

> So portscans should go only(!) to the file specified with the portscan
> keyword (preprocessor portscan: 192.168.1.0/24 5 7 /var/log/portscan.log)
> and alerts should go only to where ever you want, syslog for example (output
> alert_syslog: LOG_AUTH LOG_ALERT).
>
> In my standard configuration the portscans are logged in both files, what is
> not my intention.

Right, you want to see a version with everything in one place (in regards to
portscans).

> Any help?

Well, help I can't promise....  Think of it like this:

  You want an alert on _each_ event that triggers a rule, right?
  You need to know what ports, and such.
  Due to the way the portscan preprosessor works, it has to keep track of
connections acccording to the info in the .conf file.  spp_portscan sends back
an alert into snort.  Snort dumps it happily in the alert subsystem.  Now, in
your case, you don't consider that an alert.  It's all in how you think of it.
Since I like knowing if someone is slowscanning my nets, I make sure to have
more than one source of data.  :)  If you only had the alerts, you would miss
a lot of packet info.  With the portscan log, you get the some other useful
things.

I think the point may be moot, though...  IIRC, spp_portscan will either be
reworked, or a new one written for a upcoming release.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users