Re: [Snort-users] No portscan alerts shown in acid.
This is a discussion on Re: [Snort-users] No portscan alerts shown in acid. within the Snort forums, part of the System Security and Security Related category; Maybe change your output database from log to alert? If I remember right, that's what I had to do... ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-19-2003
|
|||
|
|||
Re: [Snort-users] No portscan alerts shown in acid.
Maybe change your output database from log to alert? If I remember
right, that's what I had to do... And of course, we always have to remember to restart snort after making configuration changes :-) >>> "Peters, Michael D." <Michael.Peters@acbl.net> 10/17/03 08:20AM >>> I have made the following changes to the snort.conf file in an attempt to show portscan information in acid. I just don't see anything shown on the acid_main.php page. I do see the information being logged but nothing is being shown as a "Latest Greatest Alert". # Snort preprocessors preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats preprocessor stream4_reassemble: both preprocessor http_decode: 80 8080 18080 443 1812 3852 12345 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan: $FWO_NET 5 3 /var/snort/portscan/fwo/fwo-portscan.log preprocessor portscan-ignorehosts: 68.16.185.133/32 68.16.185.134/32 #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 #preprocessor portscan2-ignorehosts: 172.16.0.0/12 # preprocessor perfmonitor: console flow events time 10 # output log_tcpdump: tcpdump.log output database: log, mysql, user=name password=password dbname=snort host=localhost sensor_name=FWO I have looked in the mailing archives. Can anyone assist me in finding out what I am doing wrong? Best regards, Michael D. Peters ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
