[Snort-users] spp_portscan and database schema

Erek Adams erek at ...577...
Thu Jul 18 16:04:03 EDT 2002

On 18 Jul 2002, Florin Andrei wrote:

> Are there any plans to change the way the alerts are sent to the
> database in regard to spp_portscan?
> I'm looking at portscan.log and i'd like to get that kind of information
> from the database without too many twists.
> Of course, if i'd run Snort in log mode, i think i'd have enough data to
> do that. But i'm running it in the alert mode, and log mode is not
> really an option (too much traffic).
> It would be nice if spp_portscan would suddenly switch to "log mode"
> once it detects a portscan, and revert back to alert. Or something like
> that, i'm not sure how to explain.
> To put it dumbly, "i want portscan.log in the database". :-)

Covered in your Handy-Dandy FAQ pages!


Now, _WHY_ do you have to do it that way?


Will it change?  Sure!  Everything changes.  :)

Seriously, spp_portscan2 is being worked on in the 1.9dev branch.  That will
make quite a few changes to the way portscans are handled, so don't expect
things to remain the same. :)

Erek Adams

More information about the Snort-users mailing list