[Snort-users] Snort-2.1.3 Portscan

Scott Elgram SElgram at ...10477...
Tue Aug 24 11:08:05 EDT 2004


John,
    I have gotten both portscan and portscan2 to work with acid and I am now
looking into getting my acid to support Flow-Portscan.  I have posted what
I've been able to figure out so far.

Thanks for your help,
-Scott
----- Original Message ----- 
From: "McCash, John" <John.McCash at ...10979...>
To: "Scott Elgram" <SElgram at ...10477...>;
<snort-users at lists.sourceforge.net>
Sent: Tuesday, August 24, 2004 11:02 AM
Subject: RE: [Snort-users] Snort-2.1.3 Portscan


Scott,
I'm not sure. I based the portscan2 comment on a number of other posts I've
seen claiming that it does work, but I haven't used portscan2 since I
upgraded to snort-2.0. I do know for sure that flow-portscan will log into
ACID if you set the pktkludge output option, but it's such a nasty mess
formatwise, that I eventually disabled the portscan messages altogether.
I've meant to go back and use portscan2, but never gotten around to actually
digging out the required configuration options and reenabling it. One thing
to check, though; Are you using 'log' rather than 'alert' on your database
output plugin configuration line? The portscan2 plugin logs to the 'log'
facility rather than to the 'alert' facility.
John

-----Original Message-----
From: Scott Elgram [mailto:SElgram at ...10477...]
Sent: Monday, August 23, 2004 12:33 PM
To: McCash, John; snort-users at lists.sourceforge.net; erek at ...950...
Subject: Re: [Snort-users] Snort-2.1.3 Portscan


John,
    As per our earlier posts I have made the following changes to my
snort.conf;
preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 30,
port_limit 40, timeout 40, log /var/log/snort/portscan2.log

I have also added this to the acid_conf.php file;
$portscan_file = "/var/log/snort/portscan2.log";

I restarted Snort and scanned some IP with superscan.  I didn't receive any
alerts in acid, however,  I did receive many entries in
/var/log/snort/portscan2.log.
Have I skipped a step here and left something out?

-Scott

----- Original Message ----- 
From: "McCash, John" <John.McCash at ...10979...>
To: "Scott Elgram" <SElgram at ...10477...>;
<snort-users at lists.sourceforge.net>; <erek at ...950...>
Sent: Monday, August 16, 2004 12:10 PM
Subject: RE: [Snort-users] Snort-2.1.3 Portscan


Scott,
This needs to go in the FAQ. Because Roman hasn't updated ACID in ages, it
lacks support for flow-portscan. To get ACID to properly recognize
portscans, you need to go back to portscan2, which is still implemented in
the code, but no longer listed in the default conf file. There are a number
of articles in the snort-users mailinglist archives that address this,
including http://marc.theaimsgroup.com/?l=snort-users&m=109044048107572&w=2.
On a side note, Roman is purportedly working on a major update for ACID in
conjunction with other work, but it's apparently going slow. We're hoping
for something in the Q1 '05' timeframe.
John McCash

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Scott
Elgram
Sent: Monday, August 16, 2004 10:45 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort-2.1.3 Portscan


Hello,
    I am trying to configure a SNORT 2.1.3 system with MySql and Acid.  I
have it all up and running just fine right now except for one thing.  I
can't seem to get anything to register in the port scan traffic section of
Acid.  I have looked through my Snort.conf for anything and found the
flow-portscan preprocessor.  I uncommented it and configured it as follows:
--------------------------------------------------------
preprocessor flow-portscan: \
unique-memcap 5000000 \
unique-rows 50000 \
server-watchnet [192.168.0.0/24] \
server-learning-time 300 \
server-scanner-limit 50 \
alert-mode once \
output-mode msg \
tcp-penalties on
--------------------------------------------------------

    Even with this configuration I still can't seem to get anything to
register in that particular section.  I am using superscan and scanning
various IP's on the network SNORT is watching.  Have I configured this wrong
maybe?

Thanks,
-Scott




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

----------------------------------------------------------------------------
--------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
----------------------------------------------------------------------------
--------------------
[mf2]



----------------------------------------------------------------------------
--------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
----------------------------------------------------------------------------
--------------------
[mf2]






More information about the Snort-users mailing list