[Snort-users] Tcpdump, alerts and portscans

Jason Lewis jlewis at ...1831...
Mon Jun 25 03:01:50 EDT 2001


So, I wake up at 2:30am and realize what the problem is.  A case of lack of
sleep and tunnel vision.  I somehow missed the -A full on the command line
for the instance of snort reading the tcpdump file.

Sometimes just writing it down and letting it bounce around in your brain is
the thing to do.  Thanks for listening.  ;)

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Lewis
Sent: Sunday, June 24, 2001 10:40 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Tcpdump, alerts and portscans


Maybe I have been looking at this too long and I am not seeing the obvious.
Or, maybe I made an assumption about tcpdump.

I am replaying tcpdump files with snort and putting the info into ACID.  I
am not seeing any portscans in ACID after the replay.  Is this normal?  Is
it just a configuration setting I have overlooked?  I thought tcpdump held
all the packet info and snort could replay it and identify portscans.
Wrong?

On the box that is replaying the tcpdump files, I have the following:

output database: log, mysql, dbname=snort_log user=snort host=localhost
password=abc123
output database: alert, mysql, dbname=snort_log user=snort host=localhost
password=abc123

What am I missing?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list