Snort mailing list archives
Re: SnortCenter and multiple output plugins
From: Chris Dos <chris () chrisdos com>
Date: Sat, 09 Aug 2003 11:35:48 -0600
Erek Adams wrote:
On Fri, 8 Aug 2003, Chris Dos wrote: The reason why I need to set up two database plugins is I want to monitor portscans. If there is a new way to configure snort to send portscan alerts to LOG instead of ALERT, please let me know. Thanks.Only need one. http://www.theadamsfamily.net/~erek/snort/logging_methods.txt Erek Adams
I read the information. However, it doesn't seem to work in practice. If I just have database logging Log and not Alert, I do not get any portscans detected listed in Acid. This is an exerpt from the Acid FAQ:
Portscan and Spade alerts are not showing up?Most likely this is due to the Snort database plug-in being configured improperly. The portscan pre-processor is hard coded to output to the "alert" logging facility; it will only write to those output plug-ins registered to "alert" logging. However, the default configuration for the database plug-in is to register itself as a "log" output facility.
Sample DB plug-in configuration for logging portscans (Note the "alert")
output database: alert, mysql, user=snort, dbname=snort_log host=localhost password=foo
Even with this configuration, only the occurrence of portscan (or spade) event will be logged to the database. The specific ports involved will not be stored. This port information is only available in the portscan log file. Logging the individual ports is currently not possible in snort due to an architectural limitation: pre-processors cannot pass data to the output plug-in.
ACID provides a limited solution to this issue by providing the capability to browse a single portscan.log log file from the IP statistics page (acid_stat_ipaddr.php). The portscan log file read by ACID is set with the $portscan_file configuration variable. Note that this port information extracted from the log file is never imported into the database. Rather, file parsing is done on demand to extract and present the relevant information. Thus, it is not possible to search on IP addresses or ports found in this file.
I've had the portscan.log file logging portscans while I was just logging using Log. But they do not show up in the database unless I log Alert as well to the database.
If I'm off my rocker and I'm doing something wrong, let me know. It will be nice to get SnortCenter working properly. I do have another problem with SnortCenter but I'll post that in another e-mail. Thanks for you help.
Chris ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortCenter and multiple output plugins Chris Dos (Aug 08)
- Re: SnortCenter and multiple output plugins Erek Adams (Aug 09)
- Re: SnortCenter and multiple output plugins Chris Dos (Aug 09)
- Re: SnortCenter and multiple output plugins Erek Adams (Aug 09)
- Re: SnortCenter and multiple output plugins Chris Dos (Aug 09)
- Re: SnortCenter and multiple output plugins Erek Adams (Aug 09)