[Snort-users] logging portscans to database
emf at ...367...
Tue Mar 13 00:50:11 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Mar 12, 2001 at 09:22:44PM -0700, Kevin.Brown at ...1022... wrote:
> portscans are caputured by a plugin for snort called spp. I too think it
> would be nice if spp logged the source ip address in the database instead of
> sticking it all in the event signature field. Searching a text field in a
> database is very inefficient, especially when using LIKE statements to find
I've been poking around inside spp_portscan.. It really looks like this is
an easy fix.. There's some places that can just be gutted completely, and
then you have to make sure Packet *p makes it into LogScanInfoToSeperateFile(),
and change an fwrite()/fflush() pair to a CallLogFuncs(p,...) &&
I haven't had a good chance to sit down and really figure out how to get all
the right peices of the packet into all the places it needs to be, but it
seems fairly straightforward code.
It's on my list of things to do, but if someone beats me there, my
schedule will thank you. ;)
Security Administrator, ServerVault, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users