[Snort-users] Acid 9.6b7 Not Showing portscan %

Ron 'The InSaNe One' Rosson insane at ...321...
Fri Apr 13 19:42:01 EDT 2001


Finally figured out why port scans were not getting logged (OpenBSD
Transparent Bridge) was apparently causing enough delay to not trigger
it.

With that resolved nad now having a sensor that does detect portscans
the Portscan % is always at zero. Here is a query from the mysql server:

select * from signature;

) TCP(8) UDP(0)                  |
|     22 | IDS115/Traceroute UDP
|
|     23 | spp_portscan: PORTSCAN DETECTED from 211.33.132.40 (STEALTH)
|
|     24 | IDS198/SYN FIN Scan
|
|     25 | spp_portscan: portscan status from 211.33.132.40: 8
connections across 8 hosts: TCP(8), UDP(0) STEALTH |
|     26 | spp_portscan: End of portscan from 211.33.132.40: TOTAL
time(0s) hosts(8) TCP(8) UDP(0) STEALTH        |
|     27 | spp_portscan: PORTSCAN DETECTED from 210.178.9.1 (THRESHOLD 4
connections exceeded in 0 seconds)       |
|     28 | spp_portscan: portscan status from 210.178.9.1: 8 connections
across 8 hosts: TCP(8), UDP(0)           |
|     29 | spp_portscan: End of portscan from 210.178.9.1: TOTAL
time(3s) hosts(8) TCP(8) UDP(0)                  |
+--------+--------------------------------------------------------------------------------------------------------+
29 rows in set (0.01 sec)


TIA
-- 
------------------------------------------------------------------------------
Ron Rosson          			      ... and a UNIX user said ...
The InSaNe One                 			      rm -rf *
insane at ...322...     	            and all was /dev/null and *void()
------------------------------------------------------------------------------
         To many freaks not enough circuses




More information about the Snort-users mailing list