[Snort-users] managing portscan alerts
Michael.Cloppert at ...5884...
Mon Aug 12 06:58:02 EDT 2002
I am in a high-traffic environment and I'm running into a... slight
irritation with SNORT/ACID. From what I understand, using an "output
database: alert" will generate portscan alerts, and log all the gory details
to $logdir/portscan.log. If I change this line to "output database: log", I
don't see alerts in ACID. This is good. Unfortunately, I've noticed I also
don't see the information in portscan.log.
What I want is this information to be stored in portscan.log, but alerts NOT
generated. This way I don't get the "noise" of the portscan alerts in ACID,
but if I want to investigate a particular IP address more closely, I can
still get useful information out of the "portscan" link where ACID grabs
data from portscan.log. Now, I know, I can always manually delete the
portscan alerts... but like I said, being in a high-traffic environment, I'd
like to avoid having this write/delete load on my database.
Does anyone have the "database: log" running while still collecting the
portscan information in portscan.log? Can I do this? Any feedback would be
Thanks in advance,
More information about the Snort-users