[Snort-users] Database logging for spp_portscan plugin

Jed Pickel jed at ...153...
Wed Sep 27 20:15:19 EDT 2000


> ~ :> Well, as soon as spo_alert_databse is done, it will be possible. Jed, any
> ~ :> news on this front? :)
> ~ :
> ~ :I still need to look into this. From what I understand (and someone
> ~ :please correct me if I am wrong), "alerts" also go to the "log"
> ~ :facility --- that is AlertFunc also calls LogFunc; thus, having a
> ~ :separate database plugin connected to the "alert" facility will not
> ~ :fix the problem. 
> 
>  Don't remember, need to have a look into that, but from what I have seen
> in portscan preprocessor, we can replace all LogFunc with AlertFunc... to
> get the thing easily done :), votes, opinions? :)

I had a look through spp_portscan. It looks to be already calling
AlertFunc. After a closer look, it turns out the problem was that the
database plugin would not log an alert if AlertFunc was called with
a NULL packet. 

This issue prompted a number of changes to the database plugin.

  * Fixed a logic error that prevented logging messages from 
    portscan preprocessor.
  * Added a configuration option that enables a user to connect the 
    plugin to the alert or log facility.
  * Changed name from spo_log_database to spo_database
  * Removed all old references that tie the plugin directly to the log 
    facility

I just committed this latest update to CVS. Portscan messages are now
logged, but the data is unstructured.  We will eventually get that to
log to a db in a structured format -- but some snort internals will
need to change first. You will need to connect the database plugin to
the "alert" facility if you want portscan messages in your database.

So to upgrade to this version you will have to change "log_database" 
to "database" in your configuration file. And you will have to add
the logging facility as the first parameter to the "output database:"
line.

Here is the new configure line format:

output database: [log | alert], [type of database], [parameter list]

Here is what I use:

output database: alert, mysql, dbname=snort user=jed password=*******


I still view this as a temporary fix because the concept of a logging
facility will probably eventually move completely out of code and into
the configuration file. Anyway, this will work in the mean time.

* Jed



More information about the Snort-users mailing list