[Snort-users] SNORT configuration: logging alerts without portscans

Erek Adams erek at ...577...
Fri Oct 26 09:51:07 EDT 2001


On Fri, 26 Oct 2001 Thomas.Klockow at ...1355... wrote:

> I wonder if it is possible to log portscans and alerts to different files.

They already do.  :)

> So portscans should go only(!) to the file specified with the portscan
> keyword (preprocessor portscan: 192.168.1.0/24 5 7 /var/log/portscan.log)
> and alerts should go only to where ever you want, syslog for example (output
> alert_syslog: LOG_AUTH LOG_ALERT).
>
> In my standard configuration the portscans are logged in both files, what is
> not my intention.

Right, you want to see a version with everything in one place (in regards to
portscans).

> Any help?

Well, help I can't promise....  Think of it like this:

  You want an alert on _each_ event that triggers a rule, right?
  You need to know what ports, and such.
  Due to the way the portscan preprosessor works, it has to keep track of
connections acccording to the info in the .conf file.  spp_portscan sends back
an alert into snort.  Snort dumps it happily in the alert subsystem.  Now, in
your case, you don't consider that an alert.  It's all in how you think of it.
Since I like knowing if someone is slowscanning my nets, I make sure to have
more than one source of data.  :)  If you only had the alerts, you would miss
a lot of packet info.  With the portscan log, you get the some other useful
things.

I think the point may be moot, though...  IIRC, spp_portscan will either be
reworked, or a new one written for a upcoming release.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list