[Snort-users] Database logging for spp_portscan plugin
jed at ...153...
Mon Sep 25 19:11:29 EDT 2000
> On Fri, 22 Sep 2000 out of nowhere Steve Halligan spoke:
> ~ :The title says it all. Any possibility of this happening?
> ~ :
> Well, as soon as spo_alert_databse is done, it will be possible. Jed, any
> news on this front? :)
I still need to look into this. From what I understand (and someone
please correct me if I am wrong), "alerts" also go to the "log"
facility --- that is AlertFunc also calls LogFunc; thus, having a
separate database plugin connected to the "alert" facility will not
fix the problem.
Sidenote: With the code Andrew Baker submitted it seems we could
move the concept of "alert" and "log" to be a type
defined in a configuration file. This would eliminate
type confusion with output plugins. I will followup with
this later on the snort-devel list.
It should be easy to get the alert messages in the database. It is
probably something with the fact that AlertFunc is called with a NULL
packet. I will find out what the issue is and get a fix done by the
Nevertheless, it will require some changes to the internals of snort
to get structured portscan info into the db. I think it is necessary
for there to be some way for pre-processors and detection plugins to
pass additional meta-data to the output plugins. Perhaps we can look
into adding this capability for version 2.0.
More information about the Snort-users