[Snort-users] logging portscans to database

Erik Fichtner emf at ...367...
Tue Mar 13 00:50:11 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Mar 12, 2001 at 09:22:44PM -0700, Kevin.Brown at ...1022... wrote:
> portscans are caputured by a plugin for snort called spp.  I too think it
> would be nice if spp logged the source ip address in the database instead of
> sticking it all in the event signature field.  Searching a text field in a
> database is very inefficient, especially when using LIKE statements to find
> things.


I've been poking around inside spp_portscan.. It really looks like this is
an easy fix..  There's some places that can just be gutted completely, and
then you have to make sure Packet *p makes it into LogScanInfoToSeperateFile(),
and change an fwrite()/fflush() pair to a CallLogFuncs(p,...) && 
CallAlertFuncs(p,...)

I haven't had a good chance to sit down and really figure out how to get all
the right peices of the packet into all the places it needs to be, but it
seems fairly straightforward code.

It's on my list of things to do, but if someone beats me there, my 
schedule will thank you. ;) 


- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjqttRIACgkQQ7EzrewLMS3OVQCgo7yo29h/aNIM8zJubP0lzV1O
JjQAoI9+ELNRr0h1tuQn/Xi/sGnIxTKU
=YLOd
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list