[Snort-users] ACID Reporting and Portscans
jgiles at ...6534...
Tue Aug 6 12:20:04 EDT 2002
Well, Now Im totaly confused. I am logging to the syslog AND to MySQL (For Acid), and in the syslog, Im getting:
Aug 6 13:21:23 wolfserver snort: spp_portscan: portscan status from <ip Address>: 1 connections across 1 hosts: TCP(1), UDP(0) , but in Acid, Im not seeing that. The portscan.log file has these permissions:
-rw-rw-r-- 1 root root 67691 Aug 6 13:22 portscan.log
Any Ideas why its not showing up in Acid?
> You may already be doing this, so don't take offense if you have! When you
> see an alert for spp_portscan, and click on the IP address, you won't see
> portscan data. You will only see the data for that alert - and since the
> portscan data isn't kept in the alert itself, it isn't shown here. After
> clicking on the IP address for which a portscan alert was generated, you
> need to click on "Portscan Events" towards the top of the screen. It's in
> the middle of a list like:
> all alerts with 18.104.22.168/32 as : source | destination |
> show: unique alerts | portscan events
> Registry lookup (whois) in: ARIN | RIPE APNIC
> External: DNS | whois | SamSpade
> If you're already doing this and not getting data, you may want to check
> permissions on your portscan.log file to make sure your apache user (or
> equivalent) has read access.
> > -----Original Message-----
> > From: Joe Giles [mailto:jgiles at ...6534...]
> > Sent: Tuesday, August 06, 2002 12:08 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] ACID Reporting and Portscans
> > Probobly a simple setup issue, but I cant get any data from
> > ACID's Portscan Traffic. I get data from my portscan
> > preprocessor. I can generate a file
> > /var/log/snort/portscan.log (Owned by root) and the file is
> > working, and I have it set up in the acid_conf.php file, I
> > have $portscan_file = "/var/log/snort/portscan.log"; set.
> > But, Im not ever getting any port scan traffic. I can see
> > different port scan information in the logs, but isnt it
> > supposed to generate portscan spicific info?
> > Thanks
> > Joe Giles
> > jgiles at ...6534...
> > AOL ID: mcigiles
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
jgiles at ...6534...
AOL ID: mcigiles
More information about the Snort-users