[Snort-users] Snort Enterprise Implementation

Hicks, John JHicks at ...5857...
Mon Jan 13 06:29:03 EST 2003


Greg,

Set the $portscan_file variable in acid_conf.php. From the Install Guide
(http://www.cert.org/kb/acid/):
	[OPTIONAL for Snort portscan pre-processor support]
	o $portscan_file  : full path to a Snort portscan log file

However, this requires that the ACID system have access to the portscan.log
file. this can be achieved near-realtime via cron jobs that collect those
via SCP and append them to a master file on teh ACID station.

As another option, you can change the action of Snort from 'alrt' to 'log'.
This will force each portscan event to show as an alert along with all the
rest, but beware, I've had major issues with how it sends the alert not
allowing me to list by IP and have the portscans be listed properly.

hth,

John Hicks

-----Original Message-----
From: Greg Adams [mailto:adamsg at ...7983...]
Sent: Monday, January 13, 2003 8:07 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Enterprise Implementation


I have setup an "Snort Enterprise Implementation".  I used the
documentation prepared by Steven J. Scoot. (http://www.superhac.com) I
have set up the two linux servers, one acting as a server for ACID,
apache, MySQL Database, and SnortCenter, the second linux box is setup
as a Snort Sensor only.

I have been seccessfuly in setup the two servers and see events being
recorded for the fields TCP, UDP, ICMP  of the Analysis Console for
Intrusion Databases (ACID); however, the precent for Portscan Traffic
remains at zero ACID.

The snort sensor server show data being recorded to alert and scan.log
file.

Does anyone have any insite as to what I may have missed in the
configuration to cause the Portscan Traffic to remain at zero.
Greg Adams




-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list