Re: [Snort-users] portscan events not showing up in base

permalink · #1 (**permalink**) 05-23-2006

Woops...

the portscan2 module should've read, and now does read

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12, port_limit 25, timeout 3, log portscan2.log

I keep log files for the two portscan preprocessors that I rotate quite
frequently (every time they hit 20 megs) with some perl code I wrote,
just in case I need more info than the DB gives me (in this case it's
been helpful since I'm getting no portscan info from the db :)

--
john

On Tue, May 23, 2006 at 11:52:37AM -0500, John Newman wrote:
> preprocessor portscan: $HOME_NET 25 3 portscan.log
> preprocessor portscan-ignorehosts: XX.XX.XX.XX/XX
>
> preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12, po
> rt_limit 25, timeout 3
> preprocessor portscan2-ignorehosts: XX.XX.XX.XX/XX
> preprocessor portscan2-ignoreports-from: 25
> preprocessor portscan2-ignoreports-to: 25
>
>
> Replace the XX.XX's with my network addresses.
>
>
> thanks,
>
> --
> John
>
> On Tue, May 23, 2006 at 12:07:30PM -0400, Joel Esler wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > What is your portscan line from your snort.conf file?
> >
> > Joel
> >
> > John Newman wrote:
> > > Hello,
> > >
> > > I'm using snort 2.4.4 but not sfportscan, rather the older portscan and
> > > portscan2 modules. I've just realized that, although portscans are
> > > being detected just fine, they aren't being propagated through barnyard
> > > into the base database.
> > >
> > > e.g.
> > >
> > > select * from acid_event where sig_name like '%portscan%' and timestamp >
> > > '2006-05-01 00:00:00';
> > >
> > > returns nothing
> > >
> > > If I change the date portion to sometime last month, before I switched
> > > from sfportscan, I get all sorts of results. Does anyone have any clue
> > > what might be causing this?
> > >
> > > thanks,
> > >
> >
> > - --
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (Darwin)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFEczNBKbCSyXHckt4RAqruAKCmakaXNUM6eLp+AknGUy XiXffhAgCeO6OI
> > KYB1aZzD/x8WBjH/RXSrWJE=
> > =Eu41
> > -----END PGP SIGNATURE-----
>
> --
> John Newman
> Systems Administrator, WebXess Inc.
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users

--
John Newman
Systems Administrator, WebXess Inc.

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode