Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SnortCenter and multiple output plugins

From: Chris Dos <chris () chrisdos com>
Date: Sat, 09 Aug 2003 11:35:48 -0600


Erek Adams wrote:

On Fri, 8 Aug 2003, Chris Dos wrote:
The reason why I need to set up two database plugins is I want to
monitor portscans.  If there is a new way to configure snort to send
portscan alerts to LOG instead of ALERT, please let me know.  Thanks.



Only need one.

        http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
Erek Adams
I read the information. However, it doesn't seem to work in practice. If I just have database logging Log and not Alert, I do not get any portscans detected listed in Acid. This is an exerpt from the Acid FAQ: 

Portscan and Spade alerts are not showing up?
Most likely this is due to the Snort database plug-in being configured improperly. The portscan pre-processor is hard coded to output to the "alert" logging facility; it will only write to those output plug-ins registered to "alert" logging. However, the default configuration for the database plug-in is to register itself as a "log" output facility.
Sample DB plug-in configuration for logging portscans (Note the "alert")
output database: alert, mysql, user=snort, dbname=snort_log host=localhost password=foo
Even with this configuration, only the occurrence of portscan (or spade) event will be logged to the database. The specific ports involved will not be stored. This port information is only available in the portscan log file. Logging the individual ports is currently not possible in snort due to an architectural limitation: pre-processors cannot pass data to the output plug-in.
ACID provides a limited solution to this issue by providing the capability to browse a single portscan.log log file from the IP statistics page (acid_stat_ipaddr.php). The portscan log file read by ACID is set with the $portscan_file configuration variable. Note that this port information extracted from the log file is never imported into the database. Rather, file parsing is done on demand to extract and present the relevant information. Thus, it is not possible to search on IP addresses or ports found in this file.
I've had the portscan.log file logging portscans while I was just logging using Log. But they do not show up in the database unless I log Alert as well to the database.
If I'm off my rocker and I'm doing something wrong, let me know. It will be nice to get SnortCenter working properly. I do have another problem with SnortCenter but I'll post that in another e-mail. Thanks for you help. 

        Chris




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: