[Snort-users] Database logging for spp_portscan plugin

Martin Roesch roesch at ...421...
Mon Oct 2 14:12:34 EDT 2000

Jed Pickel wrote:
> > On Fri, 22 Sep 2000 out of nowhere Steve Halligan spoke:
> >
> > ~ :The title says it all.  Any possibility of this happening?
> > ~ :
> >
> >
> > Well, as soon as spo_alert_databse is done, it will be possible. Jed, any
> > news on this front? :)
> I still need to look into this. From what I understand (and someone
> please correct me if I am wrong), "alerts" also go to the "log"
> facility --- that is AlertFunc also calls LogFunc; thus, having a
> separate database plugin connected to the "alert" facility will not
> fix the problem.

Alerts call both the alerting and logging function lists.

> Sidenote: With the code Andrew Baker submitted it seems we could
>           move the concept of "alert" and "log" to be a type
>           defined in a configuration file. This would eliminate
>           type confusion with output plugins. I will followup with
>           this later on the snort-devel list.

Yep, I need to look at this (mostly undocumented *ahem*) functionality and see
how it's performing its job a little better...

> It should be easy to get the alert messages in the database. It is
> probably something with the fact that AlertFunc is called with a NULL
> packet. I will find out what the issue is and get a fix done by the
> next release.

I've thought for quite some time that the proper thing for the portscan
preprocessor to do is to log the packet that caused the thing to go off, even
if it doesn't log all of them.  There's a more than good chance that people
are going to be interested in this packet at some time... :)

> Nevertheless, it will require some changes to the internals of snort
> to get structured portscan info into the db. I think it is necessary
> for there to be some way for pre-processors and detection plugins to
> pass additional meta-data to the output plugins. Perhaps we can look
> into adding this capability for version 2.0.



Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list