Snort mailing list archives
Re: spp_portscan and database schema
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 19 Jul 2002 11:56:49 -0700 (PDT)
On 19 Jul 2002, Florin Andrei wrote:
Yes, that's precisely what i'd like to see done in a different way. That's why i wrote my first message. Not having ports (and other TCP info) in the database makes you do all kind of weird acrobatics to get meaningful info from the data. I mean, i think it's an architectural issue here. Pre-processors cannot pass data to the output plugin because they don't have to. I'm cool with that. At least, usual preprocs don't have to, because it doesn't make sense for them to do that (what would be the purpose to begin with?). But portscan is not like the others, the very nature of the event that triggers the portscan alerts is different. Passing TCP data, like ports, etc. suddenly makes sense here.
Yes. You've got excellent points, and you're preaching to the converted on this one. ;-) Way back when Snort was just a lil' piglet, spp_portscan was written. At that time, there was no DB output. spp_portscan was never really updated to dump it's full info into the DB, due to the way packets were logged (alert vs. log).
If i understand this correctly, Marty basically says "turn on logging if you want that info in the database" (correct me if i'm wrong). I cannot do that, the traffic is way too high. I don't have multiple multi-terabyte RAID arrays available. :-)
No, not quite. ;) If you want to see portscan alerts in your DB, make the change listed in the ACID faq. The reason is that spp_portscan uses the 'alert' facility, instead of the 'log' facility. By 'log' it doesn't mean "log every packet", it means "send this packet thru the 'log' facility". 'Alert' will "send this packet thru the alert facility, generate an alert, and then 'log' the packet for later examination." Since spp_portscan uses 'alert' to send the data back into snort, you must tell snort to send 'alerts' to the DB. It still gets logged, but as an alert and not just a 'logged packet'. Does that help?
Great! What are the differences between v2 and v1?
Codewise--A lot. Written by someone else, coded in a different way, uses more of the 'newer code' from 1.9, and generally is still _alpha_ code. :)
<dumb_mode> Are we going to get "portscan.log in the database" with v2? :-) </dumb_mode>
I think the possiblity could exist--But, I'm not a coder, nor do I play on on TV. :) My fingers are crossed.... Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan and database schema Florin Andrei (Jul 18)
- Re: spp_portscan and database schema Erek Adams (Jul 18)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Erek Adams (Jul 19)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Erek Adams (Jul 18)
- <Possible follow-ups>
- RE: spp_portscan and database schema Kreimendahl, Chad J (Jul 19)