[Snort-users] logging portscans to database
cpw at ...440...
Tue Mar 13 10:50:11 EST 2001
My two cents is, think about it real careful. Are you sure you want 20
million bytes of scan packets a day translated to hex and shipped over an
ethernet to your sql box?
On Tue, Mar 13, 2001 at 12:50:11AM -0500, Erik Fichtner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Mon, Mar 12, 2001 at 09:22:44PM -0700, Kevin.Brown at ...1022... wrote:
> > portscans are caputured by a plugin for snort called spp. I too think it
> > would be nice if spp logged the source ip address in the database instead of
> > sticking it all in the event signature field. Searching a text field in a
> > database is very inefficient, especially when using LIKE statements to find
> > things.
> I've been poking around inside spp_portscan.. It really looks like this is
> an easy fix.. There's some places that can just be gutted completely, and
> then you have to make sure Packet *p makes it into LogScanInfoToSeperateFile(),
> and change an fwrite()/fflush() pair to a CallLogFuncs(p,...) &&
> I haven't had a good chance to sit down and really figure out how to get all
> the right peices of the packet into all the places it needs to be, but it
> seems fairly straightforward code.
> It's on my list of things to do, but if someone beats me there, my
> schedule will thank you. ;)
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
Phil Wood, cpw at ...440...
More information about the Snort-users