[Snort-users] spp_portscan and mysql

Mikael Chambon snort-ml at ...5833...
Mon May 13 15:04:02 EDT 2002


Thanks for your responce Jeff,


Effectively you were right about my conf file.
But As I can read in README.databases, the syntaxe is:

[log | alert]

So there is no possibility to have log and alert logged in the databases in
the same
time ??

Thanks,


--
Mikael Chambon || Paris France
mikael (at) cronos.org
mikael (at) nerim.net
PGP key http://www.cronos.org/mikael/pgp/key.txt
----- Original Message -----
From: "Wirth, Jeff" <WirthJe at ...4876...>
To: "'Mikael Chambon'" <snort-ml at ...5833...>;
<snort-users at lists.sourceforge.net>
Sent: Monday, May 13, 2002 4:13 PM
Subject: RE: [Snort-users] spp_portscan and mysql


>
> From: Mikael Chambon [mailto:snort-ml at ...5833...]
> > I am using snort 1.8.6, mysql 3.23.49, snortreport 1.11 on a
> > Linux 2.4.18
> > Snort is correctly detecting portscan and writes correctly alert and
> > portscan.log:
> >
> > May 12 19:44:37 207.71.92.221:15000 -> 192.168.X.X:5000 SYN ******S*
> > May 12 19:44:36 207.71.92.221:10445 -> 192.168.X.X:445 SYN ******S*
> > May 12 19:44:36 207.71.92.221:10143 -> 192.168.X.X:143 SYN ******S*
> > May 12 19:44:36 207.71.92.221:10139 -> 192.168.X.X:139 SYN ******S*
> >
> > The problem is, nothing is write in the sql databases when it
> > comes from
> > spp_portscan
>
> ...check your snort.conf file, I would guess you have something along the
> lines of:
>
> output database: log, mysql, <other options>
>      ^^^
> In order to see portscan data you need to modify the above to:
>
> output database: alert, mysql, <other options>
>                        ^^^^^
> >
> > As we can see there is nothing from spp_portscan (but
> > spp_stream4 mysql
> > logging is working)
>
> because spp_stream4 writes to the log facility and spp_portscan does
not...
>
> > I am not a SQL or snort guru and I used the "create_mysql"
> > file  (from snort
> > contrib) to create sql tables.
> >
> > Is is normal ?? Did I miss something ? What can I do ?
>
> You can make the change above, but beware, the data will not appear in
your
> database as it does in your portscan.log file.  The format is something
like
> (as it would appear in your alert file)....
>
> " spp_portscan: PORTSCAN DETECTED to port 80 from XXX.XXX.XXX.XXX "
>
> - Jeff
>





More information about the Snort-users mailing list