[Snort-users] logging portscans to database

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Mon Mar 12 23:22:44 EST 2001


portscans are caputured by a plugin for snort called spp.  I too think it
would be nice if spp logged the source ip address in the database instead of
sticking it all in the event signature field.  Searching a text field in a
database is very inefficient, especially when using LIKE statements to find
things.

> I am running two instances of snort 1.7, one on Linux and one on OpenBSD.
> Both of them are logging to (local) postgres databases.  I have noticed
> that port scan alerts are only logged to the 'event' table and they do
> not show up in the 'iphdr' or any other tables.  Is there a way to get
> that information logged as well ?
> 
> I am using the 03/01/2001 rulebase.
> 
> 
> 
> -- 
>  Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
>  Taygeta Scientific Inc.        INTERNET: skip at ...1552...
>  1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
>  Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list