[Snort-users] Snort Enterprise Implementation

larc larc at ...1187...
Mon Jan 13 06:21:04 EST 2003

This is from the snort faq:

Q: Portscans are not being logged to my database

A: You need to change the output facility to 'alert' rather then 'log'.  The 
   portscan preprocessor calls output plugins registered as 'alert' plugins 
   rather then 'log'.

      output database: alert, mysql, user=snort dbname=snort host=localhost

Stefan D.

 Greg Adams <adamsg at ...7983...> wrote:
I have setup an "Snort Enterprise Implementation".  I used the
>documentation prepared by Steven J. Scoot. (http://www.superhac.com) I
>have set up the two linux servers, one acting as a server for ACID,
>apache, MySQL Database, and SnortCenter, the second linux box is setup
>as a Snort Sensor only.
>I have been seccessfuly in setup the two servers and see events being
>recorded for the fields TCP, UDP, ICMP  of the Analysis Console for
>Intrusion Databases (ACID); however, the precent for Portscan Traffic
>remains at zero ACID.
>The snort sensor server show data being recorded to alert and scan.log
>Does anyone have any insite as to what I may have missed in the
>configuration to cause the Portscan Traffic to remain at zero.
>Greg Adams
>This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
>are you planning your Web Server Security? Click here to get a FREE
>Thawte SSL guide and find the answers to all your  SSL security issues.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list