Snort mailing list archives
Portscan vs. Portscan2 alert deluge and ACID sensor name
From: "Ty Brewer" <tbrewer () pplinc com>
Date: Wed, 12 Mar 2003 09:22:37 -0600
Using: Snort 1.9, MySQL, ACID, multiple sensors, one collector (all WinXP) 1) We would like to be able to ignore port scans from a server that is generating a lot of alerts. There is a "preprocessor portscan-ingorehosts" setting that seems to only affect the old portscan, not the new portscan2. Is there a way to ignore hosts on portscan2? 1a) What are we giving up if we disable portscan2 and go back to the old portscan? 2) We have snort set up on a remote sensor pointing to a snort master running MYSQL. All alerts are being transferred ok, however MYSQL / ACID seem to ignore the defined sensor_name and use the computer name instead. Since I have two instances of Snort running on this box, It appears that I have two sensors with the same name. The following is how we have the remote sensor set up. Computer name: sensor02 output database: log, mysql, user=snort3 password=abc dbname=snort host=collector01 port=3306 sensor_name=snortsensor2 output database: alert, mysql, user=snort3 password=abc dbname=snort host=collector01 port=3306 sensor_name=snortsensor2 Again, instead of the sensor being called "snortsensor2", it is called "sensor02" (the computer name) The odd thing is it wasn't always behaving this way. The original name of the sensor WAS "sensor02" and that's what I used in the sensor_name definition. But one would think that if I change this then a new sensor would appear in ACID with the new name and the old name would appear as a different sensor.
Current thread:
- Portscan vs. Portscan2 alert deluge and ACID sensor name Ty Brewer (Mar 12)