[Snort-users] Call for features requests for SPPv2

roman at ...438... roman at ...438...
Wed May 16 09:55:34 EDT 2001


I will agree that the way that portscans are logged into the 
database makes them extremely unwieldy to analyze.  However,
this is really a result of a much more fundemental problem.  There
is no good interface for structured data to be passed between
pre-processors plugins and output plugins.  I believe we are
feeling the pain of this most from spp_portscan because it is
(for obvious reasons) one of the most prolific alert generators.
I would suspect a real fix to the problem is both a change
to Snort internals (something currently being discussed)
as well as in spp_portscan.  Are there better near-term solutions?

Patrick:
Unrelated to this earlier issue, can spp_portscan have a
configurable output target (aka: not hardcoded to the alert
facility)?

cheers,
Roman

> Hear Hear.  I have found the same thing.  In fact I have stopped logging
> Portscan info to a database because it fouls up any ability to search on
> unique alerts using ACID with nearly every portscan generating a unique
> alert.
> 
> I can imagine that it would be a challenge to log a portscan with a single
> source & destination ip/port when the nature of a portscan is to hit may
> ports/hosts in a short amount of time.
> 
> Would a separate table in the db be useful for dealing with portscans, since
> logging each of the actual packets in the normal events might overwhelm us?
> 
> Any other suggestions?
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jeff Dell
> Sent: Tuesday, 15 May 2001 21:39
> To: 'Patrick Mullen'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Call for features requests for SPPv2
> 
> 
> I don't know if it has to do with the snort Portscan Preprocessor, ACID or
> anything inbetween, but when using ACID you get 3 lines for each portscan
> and you don't even get any good info from them. I have to revert back to the
> log file to gather any type of information. It sure would be nice to get
> this cleaned up.
> 
> Jeff
> 
> -----Original Message-----
> From: Patrick Mullen [mailto:pmullen at ...245...]
> Sent: Tuesday, May 15, 2001 3:17 AM
> To: snort-users at lists.sourceforge.net; snort-devel at lists.sourceforge.net
> Subject: [Snort-users] Call for features requests for SPPv2
> 
> 
> The grapevine was properly seeded for me to catch wind that The Big Guy (TM)
> wants
> a new version of the Snort Portscan Preprocessor out and he wants it
> yesterday. ;)
> 
> Make your voice heard!  Tell me what you like and don't like about the
> current
> SPP and what features you feel are lacking.  No request is too large and no
> request is too small.  I take all requests and comments!  It doesn't mean
> I'll
> implement them all, but I do take them...
> 
> Just please reply to me directly; feel free to cc: the list if you'd like.
> I get
> too much mail to too many lists to pore through it all.
> 
> 
> Thanks,
> 
> ~Patrick
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list