[Snort-users] flow-portscan data

Matthew L. McCarty matthew at ...10792...
Mon Dec 22 12:08:01 EST 2003


O.k. I have read that part of the manual but I never tried the pktkludge 
option cause I thought the msg (default) should work fine.  It doesn't for my 
purposes. pktkludge is what I needed and makes sense now.

Thanks.


On Monday 22 December 2003 11:59, you wrote:
> At 12:38 PM 12/22/2003, Matthew L. McCarty wrote:
> >Could someone please tell me where this data is logged to or stored?
> >
> >I aksed this question once already but got no response -- so I reread the
> >documentation and still can't find anything....WTD?  Why isn't it in the
> >documentation and if it is -- where?
>
>  From RTing the FM, it appears that flow-portscan uses the standard alert
> or log mechanism.. thus the answer to "where it gets stored" is "where
> everything else gets stored".
>
>  From README.flow-portscan:
>
>
> output-mode                  <msg|pktkludge>
>
>    msg       - a variable text message with the scores included
>    pktkludge - generate a fake pkt and use the Logging output system
>
>
> certainly from that it's VERY clear output-mode pktkludge uses the standard
> logging system.. thus it will output to the same place as any rule that
> uses the log keyword.
>
> I'd assume that msg uses either log or alert, but without a packet.

-- 
Matthew L. McCarty
Rare Earth Strategies Group Inc.
www.rareearthstrategies.com
(405)209-9598

Bringing IT solutions to your business through innovative strategies.





More information about the Snort-users mailing list