[Snort-users] logging portscans to database

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Tue Mar 13 16:30:12 EST 2001


Right now all spp does is stick its entire message in the message field of the
event table, leaving the src and dest ip addresses blank.  It would be nice if
the message was parsed prior to the insert so that at least the source ip
address of the scan was put in the ip_src field in the iphdr table.  That
would reduce the number of "unknown" addresses in the db that can't be
searched for and also allow you to see that ip address xxx scanned you two
days before the hack occured by searching for the offending ip address.

> Part of what Phil meant was that for each packet you want to stuff into
> the database, it must be expanded several times from it's binary format
> into ASCII.  Explosivo.
> 
> -Jeff
> 
> Erik Fichtner wrote:
> > 
> >    msg.pgpName: msg.pgp
> >           Type: Plain Text (text/plain)
> 
> -- 
> http://jeff.wwti.com            (pgp key available)
> "Common sense is the collection of prejudices acquired by age eighteen."
> - Albert Einstein
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list