[Snort-devel] spp_portscan and it's logging behavior

Steve Halligan agent33 at ...269...
Mon May 7 17:10:29 EDT 2001


I use database logging.  It is getting kinda annoying having to go to the
text log files to see logged portscans.  I have spp_portscan attached to the
alert facility, so I do get a database entry for portscans (Actually 3 or
more entries, one for portscan detected, at least one for status, and one
for portscan ended).  These database entries jam the alert into the msg
field, and they contain no info about the ports being used or the hosts
being scanned.

To kludge "fix" this I replaced the NULL with a p in the CallAlert for the
portscan detected alert.  This way I can at least see a one packet snapshot
of the scan.  This has been a huge time saver.  I was not able to get p in
the database for the portscan status and end of portscan alerts, due to the
fact that the packet that was living in p at the time of those alerts had
nothing to do with the alert.  

My question:  Is there a better way to deal with this data?  Do we want to
find a way to log all of it to the database? (I wouldn't think so)  Is there
a way to get packet data for the status and end alerts?  Does anybody care?


-Steve




More information about the Snort-devel mailing list