[Snort-devel] what info does snort log to database for port scans?
r.fulton at ...1343...
Sat Aug 27 19:14:01 EDT 2005
I am in the process of reworking my port scan detector (which is currently distributed with Argus (www.qosient.com) in the perl stuff in the contrib directory). At the moment I send emails for each port scan -- this was fine when I first wrote it nearly ten years ago but now it generates many 100s of messages an hour for our /16 block. So I nolonger use it to watch for inbound scans -- instead I use it to find infected machines on our network.
What I would like to do is add and sql 'plugin' to the program which logs the scans direct to the snort database.
Are there any docs that describe what I need to do or will I have to reverse engineer it?
PS. before anyone asks why don't I use the scan detection preprocessor in snort the answer is that my program is much smarter than the snort preprocessor and does a much better job of detecting slow scans without getting too many FPs.
More information about the Snort-devel