Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: spp_portscan and mysql

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Mon, 13 May 2002 10:13:54 -0400

From: Mikael Chambon [mailto:snort-ml () cronos org]

I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a 
Linux 2.4.18
Snort is correctly detecting portscan and writes correctly alert and
portscan.log:

May 12 19:44:37 207.71.92.221:15000 -> 192.168.X.X:5000 SYN ******S*
May 12 19:44:36 207.71.92.221:10445 -> 192.168.X.X:445 SYN ******S*
May 12 19:44:36 207.71.92.221:10143 -> 192.168.X.X:143 SYN ******S*
May 12 19:44:36 207.71.92.221:10139 -> 192.168.X.X:139 SYN ******S*

The problem is, nothing is write in the sql databases when it 
comes from
spp_portscan


...check your snort.conf file, I would guess you have something along the
lines of:

        output database: log, mysql, <other options>
                             ^^^        
In order to see portscan data you need to modify the above to:

        output database: alert, mysql, <other options>
                       ^^^^^


As we can see there is nothing from spp_portscan (but 
spp_stream4 mysql
logging is working)


because spp_stream4 writes to the log facility and spp_portscan does not...


I am not a SQL or snort guru and I used the "create_mysql" 
file  (from snort
contrib) to create sql tables.

Is is normal ?? Did I miss something ? What can I do ?


You can make the change above, but beware, the data will not appear in your
database as it does in your portscan.log file.  The format is something like
(as it would appear in your alert file)....

        " spp_portscan: PORTSCAN DETECTED to port 80 from XXX.XXX.XXX.XXX "

- Jeff

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: