[Snort-users] spp_portscan and database schema

Erek Adams erek at ...577...
Thu Jul 18 16:04:03 EDT 2002


On 18 Jul 2002, Florin Andrei wrote:

> Are there any plans to change the way the alerts are sent to the
> database in regard to spp_portscan?
>
> I'm looking at portscan.log and i'd like to get that kind of information
> from the database without too many twists.
> Of course, if i'd run Snort in log mode, i think i'd have enough data to
> do that. But i'm running it in the alert mode, and log mode is not
> really an option (too much traffic).
> It would be nice if spp_portscan would suddenly switch to "log mode"
> once it detects a portscan, and revert back to alert. Or something like
> that, i'm not sure how to explain.
> To put it dumbly, "i want portscan.log in the database". :-)

Covered in your Handy-Dandy FAQ pages!

	http://acidlab.sourceforge.net/acid_faq.html#faq_b7

Now, _WHY_ do you have to do it that way?

	http://www.theadamsfamily.net/~erek/snort/logging_methods.txt

Will it change?  Sure!  Everything changes.  :)

Seriously, spp_portscan2 is being worked on in the 1.9dev branch.  That will
make quite a few changes to the way portscans are handled, so don't expect
things to remain the same. :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list