[Snort-users] spp_portscan and mysql

Wirth, Jeff WirthJe at ...4876...
Mon May 13 07:17:47 EDT 2002


From: Mikael Chambon [mailto:snort-ml at ...5833...]
> I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a 
> Linux 2.4.18
> Snort is correctly detecting portscan and writes correctly alert and
> portscan.log:
> 
> May 12 19:44:37 207.71.92.221:15000 -> 192.168.X.X:5000 SYN ******S*
> May 12 19:44:36 207.71.92.221:10445 -> 192.168.X.X:445 SYN ******S*
> May 12 19:44:36 207.71.92.221:10143 -> 192.168.X.X:143 SYN ******S*
> May 12 19:44:36 207.71.92.221:10139 -> 192.168.X.X:139 SYN ******S*
> 
> The problem is, nothing is write in the sql databases when it 
> comes from
> spp_portscan

...check your snort.conf file, I would guess you have something along the
lines of:

	output database: log, mysql, <other options>
			     ^^^	
In order to see portscan data you need to modify the above to:

	output database: alert, mysql, <other options>
                       ^^^^^
> 
> As we can see there is nothing from spp_portscan (but 
> spp_stream4 mysql
> logging is working)

because spp_stream4 writes to the log facility and spp_portscan does not...

> I am not a SQL or snort guru and I used the "create_mysql" 
> file  (from snort
> contrib) to create sql tables.
> 
> Is is normal ?? Did I miss something ? What can I do ?

You can make the change above, but beware, the data will not appear in your
database as it does in your portscan.log file.  The format is something like
(as it would appear in your alert file)....

	" spp_portscan: PORTSCAN DETECTED to port 80 from XXX.XXX.XXX.XXX "

- Jeff




More information about the Snort-users mailing list