Snort mailing list archives
Re: spp_portscan and database schema
From: Florin Andrei <florin () sgi com>
Date: 19 Jul 2002 16:01:23 -0700
On Fri, 2002-07-19 at 11:56, Erek Adams wrote:
On 19 Jul 2002, Florin Andrei wrote:If i understand this correctly, Marty basically says "turn on logging if you want that info in the database" (correct me if i'm wrong). I cannot do that, the traffic is way too high. I don't have multiple multi-terabyte RAID arrays available. :-)No, not quite. ;) If you want to see portscan alerts in your DB, make the change listed in the ACID faq. The reason is that spp_portscan uses the
I do see portscan alerts already. Re-read my first message. I'm running my database plugin with the "alert" option.
'alert' facility, instead of the 'log' facility. By 'log' it doesn't mean "log every packet", it means "send this packet thru the 'log' facility". 'Alert' will "send this packet thru the alert facility, generate an alert, and then 'log' the packet for later examination." Since spp_portscan uses 'alert' to send the data back into snort, you must tell snort to send 'alerts' to the DB. It still gets logged, but as an alert and not just a 'logged packet'.
But i did that already. In fact, my configuration was exactly like that to begin with: preprocessor portscan: $HOME_NET X Y portscan.log output database: alert, mysql, user=... $portscan_file = "/some/path/portscan.log"; And i'm 50% happy with what i have in ACID. Sure, the layout might be better, and the fact that the data comes from two different places shows up in the functionality of the interface. But i can live with that. But... ACID is not the only thing that taps into the database, and that's where my problem begins. Of course, i can feed portscan.log into the database via a Perl script or something, and i'm afraid that's what i'm going to do, but i hate that kind of non-standard, uglier-than-hell quick hacks... And that means modifying other tools, including ACID... :-( The purpose of the database is to make easy and fast corelations. And, in case of portscans, the things you use to corelate things are addresses, ports, etc. -- Florin Andrei Don't break things that don't need to be broken while you're fixing things that really need fixing. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan and database schema Florin Andrei (Jul 18)
- Re: spp_portscan and database schema Erek Adams (Jul 18)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Erek Adams (Jul 19)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Florin Andrei (Jul 19)
- Re: spp_portscan and database schema Erek Adams (Jul 18)
- <Possible follow-ups>
- RE: spp_portscan and database schema Kreimendahl, Chad J (Jul 19)