[Snort-users] logging portscans to database

Joe McAlerney joey at ...155...
Wed Mar 14 20:18:57 EST 2001


Jim Hoagland and I worked on a series of patches that allow output
plugins (i.e., database, xml, etc) to receive the identification of an
input plugin (i.e., portscan, SPADE) as well as a data structure
containing information that the input plugin wishes to share.  This
would eliminate the need to parse msg strings passed between plugins,
and allow the data to simply be picked like fruit off a tree.

This is a common issue between all input and output plugins.  It would
be good to avoid creating some bridge between the portscan plugin and
the database plugin directly.  The same types of bridges will have to be
built when new input plugins show up on the scene, and have data to send
to the database - or new output plugins that want the packet details
that the portscan detector can provide.

The work we have done is being reviewed by the ever-busy Snort
development folks.  It was developed using the CVS snapshot from a month
or so ago, so chances are additional fixes will need to made before it
is used (if that even ends up being the case :-).

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+

Kevin.Brown at ...1022... wrote:
> 
> Right now all spp does is stick its entire message in the message field of the
> event table, leaving the src and dest ip addresses blank.  It would be nice if
> the message was parsed prior to the insert so that at least the source ip
> address of the scan was put in the ip_src field in the iphdr table.  That
> would reduce the number of "unknown" addresses in the db that can't be
> searched for and also allow you to see that ip address xxx scanned you two
> days before the hack occured by searching for the offending ip address.
> 
> > Part of what Phil meant was that for each packet you want to stuff into
> > the database, it must be expanded several times from it's binary format
> > into ASCII.  Explosivo.
> >
> > -Jeff
> >
> > Erik Fichtner wrote:
> > >
> > >    msg.pgpName: msg.pgp
> > >           Type: Plain Text (text/plain)
> >
> > --
> > http://jeff.wwti.com            (pgp key available)
> > "Common sense is the collection of prejudices acquired by age eighteen."
> > - Albert Einstein
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list