[Snort-users] Tcpdump, alerts and portscans
jlewis at ...1831...
Sun Jun 24 22:39:40 EDT 2001
Maybe I have been looking at this too long and I am not seeing the obvious.
Or, maybe I made an assumption about tcpdump.
I am replaying tcpdump files with snort and putting the info into ACID. I
am not seeing any portscans in ACID after the replay. Is this normal? Is
it just a configuration setting I have overlooked? I thought tcpdump held
all the packet info and snort could replay it and identify portscans.
On the box that is replaying the tcpdump files, I have the following:
output database: log, mysql, dbname=snort_log user=snort host=localhost
output database: alert, mysql, dbname=snort_log user=snort host=localhost
What am I missing?
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.
More information about the Snort-users