[Snort-users] ACID Reporting and Portscans

Cloppert, Michael Michael.Cloppert at ...5884...
Tue Aug 6 11:49:02 EDT 2002


You may already be doing this, so don't take offense if you have!  When you
see an alert for spp_portscan, and click on the IP address, you won't see
portscan data.  You will only see the data for that alert - and since the
portscan data isn't kept in the alert itself, it isn't shown here.  After
clicking on the IP address for which a portscan alert was generated, you
need to click on "Portscan Events" towards the top of the screen.  It's in
the middle of a list like:

all alerts with 68.15.1.134/32 as : source | destination |
source/destination
show: unique alerts   |   portscan events 
                          ^^^^^^^^^^^^^^^
Registry lookup (whois) in: ARIN | RIPE APNIC
External: DNS | whois | SamSpade

If you're already doing this and not getting data, you may want to check
permissions on your portscan.log file to make sure your apache user (or
equivalent) has read access.

HTH,

Mike

> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...6534...]
> Sent: Tuesday, August 06, 2002 12:08 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] ACID Reporting and Portscans
> 
> 
> Probobly a simple setup issue, but I cant get any data from 
> ACID's Portscan Traffic. I get data from my portscan 
> preprocessor. I can generate a file 
> /var/log/snort/portscan.log (Owned by root) and the file is 
> working, and I have it set up in the acid_conf.php file, I 
> have $portscan_file = "/var/log/snort/portscan.log"; set. 
> But, Im not ever getting any port scan traffic. I can see 
> different port scan information in the logs, but isnt it 
> supposed to generate portscan spicific info?
> 
> Thanks
> 
> Joe Giles
> jgiles at ...6534...
> AOL ID: mcigiles
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list