[Snort-users] Tcpdump, alerts and portscans
roesch at ...1935...
Mon Jun 25 18:35:52 EDT 2001
Look at the spo_unified plugin, that may have some of the answers you're
looking for. Pretty soon (ver 1.8) you'll have a binary definition file
for Snort logs and alerts that allow you to move the information for
portscans around more easily for importation into something like
ACID/external logging systems.
I'll explain more in depth when I get a little free time (or when 1.8
Jason Lewis wrote:
> Actually that is what I want to do.
> I am the middle of writing a paper on configuring multiple sensors with a
> central console box. The sensors are logging in tcpdump format and the
> master console pulls that info from the sensors and replays it through
> snort. The master console is running ACID and all the sensor data is stored
> in the db. This removes any extra load on the sensors and the master
> console is dedicated to crunching data.
> I have successfully done the replay but the portscan info isn't showing up.
> It isn't that important to me, but I know I will get questions. So, I am
> looking for an alternative way of getting portscan info into ACID. I don't
> like the other methods of consolidating sensor data. I think tcpdump is the
> way to go, the portscan stuff is a detail.
> I can't believe I am the first to have this problem.
> Jason Lewis
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
> -----Original Message-----
> From: Erik Fichtner [mailto:emf at ...367...]
> Sent: Monday, June 25, 2001 5:21 PM
> To: Jason Lewis
> Cc: snort-users at lists.sourceforge.net; 'Phil Wood'
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:
> > Hmmmm....... Well how about something that does analysis on the tcpdump
> > file to detect portscans? Maybe even something to correlate data once it
> > in ACID?
> Uh.. I don't think you want to do that. You'd have to basically capture all
> your network traffic and stash it in the db and then have tools grovelling
> over it... you'd never catch up.. (Hmm. sounds like WebTr***s...)
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org
More information about the Snort-users