[Snort-users] flow-portscan data

Matt Kettler mkettler at ...4108...
Mon Dec 22 09:58:02 EST 2003


At 12:38 PM 12/22/2003, Matthew L. McCarty wrote:
>Could someone please tell me where this data is logged to or stored?
>
>I aksed this question once already but got no response -- so I reread the
>documentation and still can't find anything....WTD?  Why isn't it in the
>documentation and if it is -- where?

 From RTing the FM, it appears that flow-portscan uses the standard alert 
or log mechanism.. thus the answer to "where it gets stored" is "where 
everything else gets stored".

 From README.flow-portscan:


output-mode                  <msg|pktkludge>

   msg       - a variable text message with the scores included
   pktkludge - generate a fake pkt and use the Logging output system


certainly from that it's VERY clear output-mode pktkludge uses the standard 
logging system.. thus it will output to the same place as any rule that 
uses the log keyword.

I'd assume that msg uses either log or alert, but without a packet.





More information about the Snort-users mailing list