[Snort-users] logging portscans to database

Phil Wood cpw at ...440...
Tue Mar 13 10:50:11 EST 2001


My two cents is, think about it real careful.  Are you sure you want 20
million bytes of scan packets a day translated to hex and shipped over an
ethernet to your sql box?

On Tue, Mar 13, 2001 at 12:50:11AM -0500, Erik Fichtner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, Mar 12, 2001 at 09:22:44PM -0700, Kevin.Brown at ...1022... wrote:
> > portscans are caputured by a plugin for snort called spp.  I too think it
> > would be nice if spp logged the source ip address in the database instead of
> > sticking it all in the event signature field.  Searching a text field in a
> > database is very inefficient, especially when using LIKE statements to find
> > things.
> 
> 
> I've been poking around inside spp_portscan.. It really looks like this is
> an easy fix..  There's some places that can just be gutted completely, and
> then you have to make sure Packet *p makes it into LogScanInfoToSeperateFile(),
> and change an fwrite()/fflush() pair to a CallLogFuncs(p,...) && 
> CallAlertFuncs(p,...)
> 
> I haven't had a good chance to sit down and really figure out how to get all
> the right peices of the packet into all the places it needs to be, but it
> seems fairly straightforward code.
> 
> It's on my list of things to do, but if someone beats me there, my 
> schedule will thank you. ;) 
> 
> 
> - -- 
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjqttRIACgkQQ7EzrewLMS3OVQCgo7yo29h/aNIM8zJubP0lzV1O
> JjQAoI9+ELNRr0h1tuQn/Xi/sGnIxTKU
> =YLOd
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list