[Snort-users] spp_portscan and database schema
erek at ...577...
Thu Jul 18 16:04:03 EDT 2002
On 18 Jul 2002, Florin Andrei wrote:
> Are there any plans to change the way the alerts are sent to the
> database in regard to spp_portscan?
> I'm looking at portscan.log and i'd like to get that kind of information
> from the database without too many twists.
> Of course, if i'd run Snort in log mode, i think i'd have enough data to
> do that. But i'm running it in the alert mode, and log mode is not
> really an option (too much traffic).
> It would be nice if spp_portscan would suddenly switch to "log mode"
> once it detects a portscan, and revert back to alert. Or something like
> that, i'm not sure how to explain.
> To put it dumbly, "i want portscan.log in the database". :-)
Covered in your Handy-Dandy FAQ pages!
Now, _WHY_ do you have to do it that way?
Will it change? Sure! Everything changes. :)
Seriously, spp_portscan2 is being worked on in the 1.9dev branch. That will
make quite a few changes to the way portscans are handled, so don't expect
things to remain the same. :)
More information about the Snort-users