[Snort-users] managing portscan alerts

Cloppert, Michael Michael.Cloppert at ...5884...
Mon Aug 12 06:58:02 EDT 2002


I am in a high-traffic environment and I'm running into a... slight
irritation with SNORT/ACID.  From what I understand, using an "output
database: alert" will generate portscan alerts, and log all the gory details
to $logdir/portscan.log.  If I change this line to "output database: log", I
don't see alerts in ACID.  This is good.  Unfortunately, I've noticed I also
don't see the information in portscan.log.

What I want is this information to be stored in portscan.log, but alerts NOT
generated.  This way I don't get the "noise" of the portscan alerts in ACID,
but if I want to investigate a particular IP address more closely, I can
still get useful information out of the "portscan" link where ACID grabs
data from portscan.log.  Now, I know, I can always manually delete the
portscan alerts... but like I said, being in a high-traffic environment, I'd
like to avoid having this write/delete load on my database.  

Does anyone have the "database: log" running while still collecting the
portscan information in portscan.log?  Can I do this?  Any feedback would be
appreciated.

Thanks in advance,
Mike




More information about the Snort-users mailing list