[Snort-users] Tcpdump, alerts and portscans

Jason Lewis jlewis at ...1831...
Mon Jun 25 17:50:05 EDT 2001

Actually that is what I want to do.

I am the middle of writing a paper on configuring multiple sensors with a
central console box.  The sensors are logging in tcpdump format and the
master console pulls that info from the sensors and replays it through
snort.  The master console is running ACID and all the sensor data is stored
in the db.  This removes any extra load on the sensors and the master
console is dedicated to crunching data.

I have successfully done the replay but the portscan info isn't showing up.
It isn't that important to me, but I know I will get questions.  So, I am
looking for an alternative way of getting portscan info into ACID.  I don't
like the other methods of consolidating sensor data.  I think tcpdump is the
way to go, the portscan stuff is a detail.

I can't believe I am the first to have this problem.

Jason Lewis
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.

-----Original Message-----
From: Erik Fichtner [mailto:emf at ...367...]
Sent: Monday, June 25, 2001 5:21 PM
To: Jason Lewis
Cc: snort-users at lists.sourceforge.net; 'Phil Wood'
Subject: Re: [Snort-users] Tcpdump, alerts and portscans

Hash: SHA1

On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:
> Hmmmm.......  Well how about something that does analysis on the tcpdump
> file to detect portscans?  Maybe even something to correlate data once it
> in ACID?

Uh.. I don't think you want to do that.  You'd have to basically capture all
your network traffic and stash it in the db and then have tools grovelling
over it... you'd never catch up..  (Hmm. sounds like WebTr***s...)

- --
Erik Fichtner
Security Administrator, ServerVault, Inc.
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list