[Snort-users] Portscans in enterprise environment

Bob Dehnhardt bob.dehnhardt at ...7168...
Tue Jan 21 15:26:07 EST 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okay, if I understand things properly (and there's a good chance I don't -
feel free to correct me), the portscan2 preprocessor will only log to a
file, not to a database. And ACID will only read the portscan data from one
file.

Assuming this is correct, how are people in enterprise environments handling
their portscan detection? I'm running Snort 1.9.0 on RedHat 7.3 with ACID
0.9.23b and SnortCenter 0.9.6. I've got 11 sensors scattered across 3 sites,
and want to have portscan data from all of our external-facing sensors. My
initial thought was to scp the logs from the various sensors, and cat them
together into a single file for ACID to read, but wanted to check with the
list before I reinvent the wheel. Also, I didn't want to lose track of which
sensor was reporting the scan (yeah, I should be able to infer it from the
traffic, but that's a little hard to sort on).

Thanks....

- -	Bob

Bob Dehnhardt
IT Operations Manager - Reno
(775) 327-6407 
(775) 232-2820 cell
(510) 352-6480 fax
bob.dehnhardt at ...7168...
PGP Key ID: 0xEA0E6BAD

TriNet
Paperless HR  Total Service
www.trinet.com 

The contents of this email are the property of TriNet Group, Inc. and may be
confidential or legally privileged.  If you received this message in error
or are not the intended recipient, you should destroy the email message and
any attachments or copies, and you are prohibited from retaining,
distributing, disclosing or using any information contained herein.  Please
inform us of the erroneous delivery by return email.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPi3W5IDecwvqDmutEQLs+wCeIywZ6uCiipwhcwH9Uq+WK1CdDX0An0rw
1i5g/219MeCFbuHOWsuhHyT4
=XKZQ
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list