Portscan preprocessors

["Mike Feetham" <mike.feetham () percepta-crm com>]

I've been running Snort with Acid for awhile now, and everything seems
to be working properly, except detection of portscans.  I'm using Snort
2.0 on RH8, and I'm logging to a MySQL database.  I tried enabling the
portscan preprocessor in the snort.conf file:  "preprocessor portscan:
$HOME_NET 4 3 /var/log/portscan.log".  I ran a few portscans to test the
preprocessor, but I didn't see anything happening in the ACID console,
though the scans appear in the /var/log/portscan.log file.

 

  Next I tried disabling this preprocessor, and enabling the
conversation preprocessor: "preprocessor conversation:
allowed_ip_protocols all, timeout 60, max_conversations 3000", as well
as the portscan2 preprocessor: "preprocessor portscan2: scanners_max
256, targets_max 1024, target_limit 5, port_limit 20, timeout 60".
After restarting snort, and running a few portscans, I'm still not
seeing anything in the ACID console.  Is there a parameter I'm missing
to get snort to log these portscans into the MySQL database?

 

Any help is appreciated,

 

Mike F.