[Snort-users] logging portscans to database

Phil Wood cpw at ...440...
Tue Mar 13 10:50:11 EST 2001

My two cents is, think about it real careful.  Are you sure you want 20
million bytes of scan packets a day translated to hex and shipped over an
ethernet to your sql box?

On Tue, Mar 13, 2001 at 12:50:11AM -0500, Erik Fichtner wrote:
> Hash: SHA1
> On Mon, Mar 12, 2001 at 09:22:44PM -0700, Kevin.Brown at ...1022... wrote:
> > portscans are caputured by a plugin for snort called spp.  I too think it
> > would be nice if spp logged the source ip address in the database instead of
> > sticking it all in the event signature field.  Searching a text field in a
> > database is very inefficient, especially when using LIKE statements to find
> > things.
> I've been poking around inside spp_portscan.. It really looks like this is
> an easy fix..  There's some places that can just be gutted completely, and
> then you have to make sure Packet *p makes it into LogScanInfoToSeperateFile(),
> and change an fwrite()/fflush() pair to a CallLogFuncs(p,...) && 
> CallAlertFuncs(p,...)
> I haven't had a good chance to sit down and really figure out how to get all
> the right peices of the packet into all the places it needs to be, but it
> seems fairly straightforward code.
> It's on my list of things to do, but if someone beats me there, my 
> schedule will thank you. ;) 
> - -- 
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> iEYEARECAAYFAjqttRIACgkQQ7EzrewLMS3OVQCgo7yo29h/aNIM8zJubP0lzV1O
> JjQAoI9+ELNRr0h1tuQn/Xi/sGnIxTKU
> =YLOd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list