[Snort-users] spp_portscan and mysql
snort-ml at ...5833...
Mon May 13 15:04:02 EDT 2002
Thanks for your responce Jeff,
Effectively you were right about my conf file.
But As I can read in README.databases, the syntaxe is:
[log | alert]
So there is no possibility to have log and alert logged in the databases in
Mikael Chambon || Paris France
mikael (at) cronos.org
mikael (at) nerim.net
PGP key http://www.cronos.org/mikael/pgp/key.txt
----- Original Message -----
From: "Wirth, Jeff" <WirthJe at ...4876...>
To: "'Mikael Chambon'" <snort-ml at ...5833...>;
<snort-users at lists.sourceforge.net>
Sent: Monday, May 13, 2002 4:13 PM
Subject: RE: [Snort-users] spp_portscan and mysql
> From: Mikael Chambon [mailto:snort-ml at ...5833...]
> > I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a
> > Linux 2.4.18
> > Snort is correctly detecting portscan and writes correctly alert and
> > portscan.log:
> > May 12 19:44:37 184.108.40.206:15000 -> 192.168.X.X:5000 SYN ******S*
> > May 12 19:44:36 220.127.116.11:10445 -> 192.168.X.X:445 SYN ******S*
> > May 12 19:44:36 18.104.22.168:10143 -> 192.168.X.X:143 SYN ******S*
> > May 12 19:44:36 22.214.171.124:10139 -> 192.168.X.X:139 SYN ******S*
> > The problem is, nothing is write in the sql databases when it
> > comes from
> > spp_portscan
> ...check your snort.conf file, I would guess you have something along the
> lines of:
> output database: log, mysql, <other options>
> In order to see portscan data you need to modify the above to:
> output database: alert, mysql, <other options>
> > As we can see there is nothing from spp_portscan (but
> > spp_stream4 mysql
> > logging is working)
> because spp_stream4 writes to the log facility and spp_portscan does
> > I am not a SQL or snort guru and I used the "create_mysql"
> > file (from snort
> > contrib) to create sql tables.
> > Is is normal ?? Did I miss something ? What can I do ?
> You can make the change above, but beware, the data will not appear in
> database as it does in your portscan.log file. The format is something
> (as it would appear in your alert file)....
> " spp_portscan: PORTSCAN DETECTED to port 80 from XXX.XXX.XXX.XXX "
> - Jeff
More information about the Snort-users