[Snort-users] ACID Reporting and Portscans

Joe Giles jgiles at ...6534...
Tue Aug 6 12:20:04 EDT 2002


Well, Now Im totaly confused. I am logging to the syslog AND to MySQL (For Acid), and in the syslog, Im getting:
Aug  6 13:21:23 wolfserver snort: spp_portscan: portscan status from <ip Address>: 1 connections across 1 hosts: TCP(1), UDP(0)  , but in Acid, Im not seeing that. The portscan.log file has these permissions:

-rw-rw-r--    1 root     root        67691 Aug  6 13:22 portscan.log

Any Ideas why its not showing up in Acid?

Thanks

Joe

> You may already be doing this, so don't take offense if you have!  When you
> see an alert for spp_portscan, and click on the IP address, you won't see
> portscan data.  You will only see the data for that alert - and since the
> portscan data isn't kept in the alert itself, it isn't shown here.  After
> clicking on the IP address for which a portscan alert was generated, you
> need to click on "Portscan Events" towards the top of the screen.  It's in
> the middle of a list like:
> 
> all alerts with 68.15.1.134/32 as : source | destination |
> source/destination
> show: unique alerts   |   portscan events 
>                           ^^^^^^^^^^^^^^^
> Registry lookup (whois) in: ARIN | RIPE APNIC
> External: DNS | whois | SamSpade
> 
> If you're already doing this and not getting data, you may want to check
> permissions on your portscan.log file to make sure your apache user (or
> equivalent) has read access.
> 
> HTH,
> 
> Mike
> 
> > -----Original Message-----
> > From: Joe Giles [mailto:jgiles at ...6534...]
> > Sent: Tuesday, August 06, 2002 12:08 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] ACID Reporting and Portscans
> > 
> > 
> > Probobly a simple setup issue, but I cant get any data from 
> > ACID's Portscan Traffic. I get data from my portscan 
> > preprocessor. I can generate a file 
> > /var/log/snort/portscan.log (Owned by root) and the file is 
> > working, and I have it set up in the acid_conf.php file, I 
> > have $portscan_file = "/var/log/snort/portscan.log"; set. 
> > But, Im not ever getting any port scan traffic. I can see 
> > different port scan information in the logs, but isnt it 
> > supposed to generate portscan spicific info?
> > 
> > Thanks
> > 
> > Joe Giles
> > jgiles at ...6534...
> > AOL ID: mcigiles
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 


Joe Giles
jgiles at ...6534...
AOL ID: mcigiles




More information about the Snort-users mailing list