[Snort-users] Database logging for spp_portscan plugin

Jed Pickel jed at ...153...
Mon Sep 25 19:11:29 EDT 2000


> On Fri, 22 Sep 2000 out of nowhere Steve Halligan spoke:
> 
> ~ :The title says it all.  Any possibility of this happening?
> ~ :
> 
> 
> Well, as soon as spo_alert_databse is done, it will be possible. Jed, any
> news on this front? :)

I still need to look into this. From what I understand (and someone
please correct me if I am wrong), "alerts" also go to the "log"
facility --- that is AlertFunc also calls LogFunc; thus, having a
separate database plugin connected to the "alert" facility will not
fix the problem. 

Sidenote: With the code Andrew Baker submitted it seems we could
          move the concept of "alert" and "log" to be a type 
          defined in a configuration file. This would eliminate
          type confusion with output plugins. I will followup with
          this later on the snort-devel list.

It should be easy to get the alert messages in the database. It is
probably something with the fact that AlertFunc is called with a NULL
packet. I will find out what the issue is and get a fix done by the
next release.

Nevertheless, it will require some changes to the internals of snort
to get structured portscan info into the db. I think it is necessary
for there to be some way for pre-processors and detection plugins to
pass additional meta-data to the output plugins. Perhaps we can look
into adding this capability for version 2.0.

* Jed



More information about the Snort-users mailing list