[Snort-users] Re: [Snort-devel] portscan events not showing up in base
This is a discussion on [Snort-users] Re: [Snort-devel] portscan events not showing up in base within the Snort forums, part of the System Security and Security Related category; Could this be the answer to my problem: base_conf.php has this setting, which I just set: /* Snort spp_portscan log ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-23-2006
|
|||
|
|||
[Snort-users] Re: [Snort-devel] portscan events not showing up in base
Could this be the answer to my problem:
base_conf.php has this setting, which I just set: /* Snort spp_portscan log file */ $portscan_file =3D '/var/log/snort/portscan2.log'; Maybe this will do the trick! On Tue, May 23, 2006 at 12:05:16PM -0500, John Newman wrote: > Oh, looks like this is for for flow-portscan, which I'm not using. > Maybe I should? How does it compare to sfportscan and portscan2 in > people's experience? >=20 > -- > John >=20 > On Tue, May 23, 2006 at 11:53:32AM -0500, John Newman wrote: > > I'm not familiar with this option, or even where this option would go... > > could you give me more info? =20 > >=20 > > thanks! > >=20 > > -- > > John > >=20 > > On Tue, May 23, 2006 at 12:08:41PM -0400, Eric Lauzon wrote: > > > Do you use > > > the option: > > > output-mode pktkludge=20 > > > ?? > > >=20 > > >=20 > > >=20 > > > Eric Lauzon > > > [Recherche & D?veloppement] > > > Above S?curit? / Above Security > > > T?l : (450) 430-8166 > > > Fax : (450) 430-1858=20 > > >=20 > > > --------------------------------------- > > > "Premature optimization is the root of all > > > evil (or at least most of it) in programming." > > > - Donald Knuth > > > =20 > > >=20 > > > > -----Original Message----- > > > > From: snort-devel-admin@lists.sourceforge.net=20 > > > > [mailto:snort-devel-admin@lists.sourceforge.net] On Behalf Of=20 > > > > John Newman > > > > Sent: 23 mai 2006 12:06 > > > > To: snort-users@lists.sourceforge.net;=20 > > > > snort-devel@lists.sourceforge.net > > > > Subject: [Snort-devel] portscan events not showing up in base > > > >=20 > > > > Hello, > > > >=20 > > > > I'm using snort 2.4.4 but not sfportscan, rather the older=20 > > > > portscan and > > > > portscan2 modules. I've just realized that, although=20 > > > > portscans are being detected just fine, they aren't being=20 > > > > propagated through barnyard into the base database. =20 > > > >=20 > > > > e.g. > > > >=20 > > > > select * from acid_event where sig_name like '%portscan%' and=20 > > > > timestamp > > > > > '2006-05-01 00:00:00'; > > > >=20 > > > > returns nothing > > > >=20 > > > > If I change the date portion to sometime last month, before I switc= hed > > > > from sfportscan, I get all sorts of results. Does anyone=20 > > > > have any clue > > > > what might be causing this? > > > >=20 > > > > thanks, > > > >=20 > > > > -- > > > > John Newman > > > > Systems Administrator, WebXess Inc. > > > >=20 > > > >=20 > > > > ------------------------------------------------------- > > > > Using Tomcat but need to do more? Need to support web=20 > > > > services, security? > > > > Get stuff done quickly with pre-integrated technology to make=20 > > > > your job easier > > > > Download IBM WebSphere Application Server v.1.0.1 based on=20 > > > > Apache Geronimo > > > > http://sel.as-us.falkag.net/sel?cmd=...&bid=3D263057& > > > > dat=3D121642 > > > > _______________________________________________ > > > > Snort-devel mailing list > > > > Snort-devel@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/...fo/snort-devel > > > > > > >=20 > > > AVERTISSEMENT CONCERNANT LA CONFIDENTIALIT?=20 > > >=20 > > > Le pr?sent message est ? l'usage exclusif du ou des destinataires men= tionn?s ci-dessus. Son contenu est confidentiel et peut ?tre assujetti au s= ecret professionnel. Si vous avez re?u le pr?sent message par erreur, veuil= lez nous en aviser imm?diatement et le d?truire en vous abstenant d'en fair= e une copie, d'en divulguer le contenu ou d'y donner suite. > > >=20 > > > CONFIDENTIALITY NOTICE > > >=20 > > > This communication is intended for the exclusive use of the addressee= identified above. Its content is confidential and may contain privileged i= nformation. If you have received this communication by error, please notify= the sender and delete the message without copying or disclosing it. > > >=20 > > >=20 > > > ------------------------------------------------------- > > > Using Tomcat but need to do more? Need to support web services, secur= ity? > > > Get stuff done quickly with pre-integrated technology to make your jo= b easier > > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Ger= onimo > > > http://sel.as-us.falkag.net/sel?cmd=...&3057&dat=121= 642 > > > _______________________________________________ > > > Snort-devel mailing list > > > Snort-devel@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/...fo/snort-devel > >=20 > > --=20 > > John Newman > > Systems Administrator, WebXess Inc. > >=20 > >=20 > > ------------------------------------------------------- > > Using Tomcat but need to do more? Need to support web services, securit= y? > > Get stuff done quickly with pre-integrated technology to make your job = easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron= imo > > http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 > > _______________________________________________ > > Snort-devel mailing list > > Snort-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/...fo/snort-devel >=20 > --=20 > John Newman > Systems Administrator, WebXess Inc. >=20 >=20 > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job ea= sier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 > _______________________________________________ > Snort-devel mailing list > Snort-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/...fo/snort-devel --=20 John Newman Systems Administrator, WebXess Inc. ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=...729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
