Snort mailing list archives
problem with ACID (portscan)
From: Maxim <cineklas () wp pl>
Date: 17 Mar 2004 19:37:08 +0100
Hi all, I installed Snort Version 2.1.1 (Build 24) to work with ACID. Everything works fine but when I start ACID it shows me that there is no Portscan Traffic (0%). I added line to snort.conf file: preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log and it seems that snort logs new scan attempts to this file: Mar 17 18:53:25 192.168.0.4:1038 -> 192.168.0.5:13 SYN ******S* Mar 17 18:53:25 192.168.0.4:1039 -> 192.168.0.5:14 SYN ******S* Mar 17 18:53:25 192.168.0.4:1040 -> 192.168.0.5:15 SYN ******S* Mar 17 18:53:25 192.168.0.4:1041 -> 192.168.0.5:16 SYN ******S* Mar 17 18:53:25 192.168.0.4:1042 -> 192.168.0.5:17 SYN ******S* Snort also adds logs to alert file: [**] [100:2:1] spp_portscan: portscan status from 192.168.0.4: 94 connections across 1 hosts: TCP(94), UDP(0) [**] 03/17-19:12:28.025191 I added line to my acid_conf.php file: $portscan_file = "/var/log/snort/portscan.log"; so I think it should work, but it doesn`t. What am I doing wrong? I don`t know if it`s important but I added also few preprocessors: preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: detect_scans detect_state_problems preprocessor flow-portscan Output: output database: log, mysql, user=snort password=xxxx dbname=snort host=localhost output alert_unified: filename snort.alert, limit 128 ---------------------- Best Regards, Maxim. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problem with ACID (portscan) Maxim (Mar 17)
- Re: problem with ACID (portscan) Marcin Laskowski (Mar 17)