[Snort-users] spp_portscan and database schema

Florin Andrei florin at ...3506...
Thu Jul 18 13:23:05 EDT 2002


Are there any plans to change the way the alerts are sent to the
database in regard to spp_portscan?

I'm looking at portscan.log and i'd like to get that kind of information
from the database without too many twists.
Of course, if i'd run Snort in log mode, i think i'd have enough data to
do that. But i'm running it in the alert mode, and log mode is not
really an option (too much traffic).
It would be nice if spp_portscan would suddenly switch to "log mode"
once it detects a portscan, and revert back to alert. Or something like
that, i'm not sure how to explain.
To put it dumbly, "i want portscan.log in the database". :-)

-- 
Florin Andrei

"If you spend more on coffee than on IT security, then you will be
hacked.
What's more, you deserve to be hacked." -
 - Richard Clarke, president Bush's advisor on cybersecurity





More information about the Snort-users mailing list