From: Mike Feetham (mike.feethampercepta-crm.com)
Date: Tue Jul 01 2003 - 13:45:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been running Snort with Acid for awhile now, and everything seems
to be working properly, except detection of portscans. I'm using Snort
2.0 on RH8, and I'm logging to a MySQL database. I tried enabling the
portscan preprocessor in the snort.conf file: "preprocessor portscan:
$HOME_NET 4 3 /var/log/portscan.log". I ran a few portscans to test the
preprocessor, but I didn't see anything happening in the ACID console,
though the scans appear in the /var/log/portscan.log file.

  Next I tried disabling this preprocessor, and enabling the
conversation preprocessor: "preprocessor conversation:
allowed_ip_protocols all, timeout 60, max_conversations 3000", as well
as the portscan2 preprocessor: "preprocessor portscan2: scanners_max
256, targets_max 1024, target_limit 5, port_limit 20, timeout 60".
After restarting snort, and running a few portscans, I'm still not
seeing anything in the ACID console. Is there a parameter I'm missing
to get snort to log these portscans into the MySQL database?

Any help is appreciated,

Mike F.

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]