[Snort-users] Denmarc/Snort and portscans

Michael Sullenszino mikesz at ...84...
Thu Oct 25 21:02:07 EDT 2001


Well, you should be able to get snort to log portscans to mysql, I have
them on acid just fine (I believe it is in the snort faq what to change
in the mysql config line of snort.conf to get it to log to mysql). 
Also, there is a line in the default snort.conf that excludes
DNS_SERVERS, and that is defined as HOME_NET too, I believe.  Change
DNS_SERVER or comment out the line where it excludes DNS_SERVERS from
the portscan pre-processor.

Did that help?

Mike

On Thu, Oct 25, 2001 at 08:10:16PM -0700, Chris Grout wrote:
> With that line (the default), I believe the portscan.log file actually
> will be written to your root.  At least it did so on my OpenBSD 2.9 box.
> And the portscan preprossor does not get written to the MySQL database,
> and therefore Demarc does not "see" those entries.  If I'm wrong, please
> let me know!
> 
> Chris
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Lists
> Sent: Thursday, October 25, 2001 6:10 PM
> To: DEMARC-Users at ...2629...
> Cc: snort-users at lists.sourceforge.net; Gisler, Johnny
> Subject: [Snort-users] Denmarc/Snort and portscans
> 
> 
> Greetings,
> 
> I am lighting off a portscan on my home_net and nothing is popping up on
> Demarc or getting logged to /var/log/snort/portscan.log
> 
> The machine I am launching the scan from is on my home_net subnet.  I
> notice in the snort.conf portscan preprocessor:
> 
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> 
> I have tried changing the value to: "any" (no quotes) with no luck.
> 
> Anybody have any thoughts?
> 
> TIA
> 
> Ben
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Michael Sullenszino    /----------------------------------------\
mike at ...84...  ||  Powered by OpenBSD (www.OpenBSD.org)  ||
www.sullenszino.org   ||   & Debian GNU/Linux (www.debian.org)  ||
206.722.6539           \----------------------------------------/




More information about the Snort-users mailing list