[Snort-users] Tcpdump, alerts and portscans

Jason Lewis jlewis at ...1831...
Sun Jun 24 22:39:40 EDT 2001


Maybe I have been looking at this too long and I am not seeing the obvious.
Or, maybe I made an assumption about tcpdump.

I am replaying tcpdump files with snort and putting the info into ACID.  I
am not seeing any portscans in ACID after the replay.  Is this normal?  Is
it just a configuration setting I have overlooked?  I thought tcpdump held
all the packet info and snort could replay it and identify portscans.
Wrong?

On the box that is replaying the tcpdump files, I have the following:

output database: log, mysql, dbname=snort_log user=snort host=localhost
password=abc123
output database: alert, mysql, dbname=snort_log user=snort host=localhost
password=abc123

What am I missing?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.






More information about the Snort-users mailing list