[Snort-users] spp_portscan and mysql

Mikael Chambon snort-ml at ...5833...
Sun May 12 11:51:03 EDT 2002


Hi guys,

I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a Linux 2.4.18
Snort is correctly detecting portscan and writes correctly alert and
portscan.log:

May 12 19:44:37 207.71.92.221:15000 -> 192.168.X.X:5000 SYN ******S*
May 12 19:44:36 207.71.92.221:10445 -> 192.168.X.X:445 SYN ******S*
May 12 19:44:36 207.71.92.221:10143 -> 192.168.X.X:143 SYN ******S*
May 12 19:44:36 207.71.92.221:10139 -> 192.168.X.X:139 SYN ******S*

The problem is, nothing is write in the sql databases when it comes from
spp_portscan
Here is the output from: SELECT * FROM signature:

+--------+--------------------------------------------------------+---------
-----+--------------+---------+---------+
| sig_id | sig_name                                               |
sig_class_id | sig_priority | sig_rev | sig_sid |
+--------+--------------------------------------------------------+---------
-----+--------------+---------+---------+
|      1 | ICMP Destination Unreachable (Port Unreachable)        |
1 |            3 |       4 |     402 |
|      2 | ICMP Echo Reply                                        |
1 |            3 |       4 |     408 |
|      3 | ICMP Destination Unreachable (Host Unreachable)        |
1 |            3 |       4 |     399 |
|      4 | spp_http_decode: ISS Unicode attack detected           |
0 |         NULL |       1 |       1 |
|      5 | WEB-IIS cmd.exe access                                 |
2 |            1 |       2 |    1002 |
|      6 | WEB-IIS CodeRed v2 root.exe access                     |
2 |            1 |       3 |    1256 |
|      7 | spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection |
0 |            5 |       1 |      13 |
|      8 | WEB-CGI formmail access                                |
3 |            2 |       2 |     884 |
|      9 | ICMP Time-To-Live Exceeded in Transit                  |
1 |            3 |       4 |     449 |
|     10 | WEB-IIS ISAPI .ida attempt                             |
2 |            1 |       2 |    1243 |
|     11 | WEB-MISC 403 Forbidden                                 |
3 |            2 |       2 |    1201 |
|     12 | ICMP Echo Reply (Undefined Code!)                      |
1 |            3 |       4 |     409 |
|     13 | DOS MSDTC attempt                                      |
4 |            2 |       2 |    1408 |
+--------+--------------------------------------------------------+---------
-----+--------------+---------+---------+

As we can see there is nothing from spp_portscan (but spp_stream4 mysql
logging is working)
I am not a SQL or snort guru and I used the "create_mysql" file  (from snort
contrib) to create sql tables.

Is is normal ?? Did I miss something ? What can I do ?

Thanks a lot  for your help guys.

PS: Just to let you know that everything else is working perfectly

--
Mikael Chambon





More information about the Snort-users mailing list