[Snort-devel] what info does snort log to database for port scans?

Russell Fulton r.fulton at ...1343...
Sat Aug 27 19:14:01 EDT 2005


Hi Folk,
	I am in the process of reworking my port scan detector (which is currently distributed with Argus (www.qosient.com) in the perl stuff in the contrib directory).  At the moment I send emails for each port scan -- this was fine when I first wrote it nearly ten years ago but now it generates many 100s of messages an hour for our /16 block.  So I nolonger use it to watch for inbound scans -- instead I use it to find infected machines on our network.

What I would like to do is add and sql 'plugin' to the program which logs the scans direct to the snort database. 

Are there any docs that describe what I need to do or will I have to reverse engineer it?

Cheers, Russell


PS. before anyone asks why don't I use the scan detection preprocessor in snort the answer is that my program is much smarter than the snort preprocessor and does a much better job of detecting slow scans without getting too many FPs.





More information about the Snort-devel mailing list