[Snort-users] Port scans not showing up in ACID.

Michael Steele michaels at ...9077...
Thu Feb 5 16:34:07 EST 2004


John,

Are you running 2.1 and if so what parameters are you running in your
snort.conf for the portscan?

2.06 would work fine logging portscans to MySQL and ACID displayed them with
no problem, but Snort 2.1 is apparently not doing portscan logging in the
same fashion as 2.0.6.

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org



> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of John Creegan
> Sent: Thursday, February 05, 2004 10:33 AM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Port scans not showing up in ACID.
> 
> Mine does, but not until the percentage of portscan traffic reaches at
> least 1 percent of total traffic (see the function
> PrintProtocolProfileGraphs in the acid_common.php page.)  Also, I'm
> using the newer portscan2 preprocessor.  It appears you're using the
> original portscan preprocessor.
> 
> >>> "Michael Steele" <michaels at ...9077...> 02/05/04 11:53AM >>>
> John,
> 
> Thanks for offering to look at this. We have just updated to 2.1.0.
> 
> In ACID if I view the entire list of alerts I can see the portscans.
> 
> ----------\
> spp\_portscan: portscan status from 69.56.144.70: 7 connections across
> 1
> hosts: TCP(7), UDP(0)
> ----------/
> 
> Shouldn't this alert show up in the "Portscan Traffic (%)" group on the
> home
> page of ACID?
> 
> I updated from 2.0.6 to 2.1.0 and added my 2.06 portscan line back into
> the
> snort.conf but Snort fails to show the portscans in the "Portscan
> Traffic
> (%)" group on the ACID homepage.
> 
> preprocessor portscan: $HOME_NET 4 3 \IDS\Snort\log\portscan.log
> 
> The log is being created and populated. I think this is the same
> situation
> as the rest are reporting.
> 
> I realize that the developers left the "preprocessor portscan:"
> variable out
> of the snort.conf config file but left in the code that still deals
> with it.
> Is there a way to set the new preprocessor for portscans that will
> allow the
> alerts to show up in ACID and do away with the old "preprocessor
> portscan:"
> line in the snort.conf.
> 
> Kindest regards,
> 
> The WINSNORT.com Management Team
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of John Creegan
> > Sent: Thursday, February 05, 2004 6:08 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Port scans not showing up in ACID.
> >
> > It's not ACID.  I'm seeing them here.  I'd be happy to go over the
> > differences in our configurations if you like.
> >
> > >>> "Michael Steele" <michaels at ...9077...> 02/04/04 06:59PM >>>
> > I believe it to be problem with ACID. I wish it was being actively
> > developed. It seems the programmer has been absent for some time,
> but
> > I
> > think he is still around, just busy doing other projects. It's free
> so
> > we
> > can't expect too much :)
> >
> > Maybe someone else could patch it?
> >
> > Kindest regards,
> >
> > The WINSNORT.com Management Team
> > --
> > Pick up your FREE Windows or UNIX Snort installation guides
> > mailto:support at ...9077...
> > Website: http://www.winsnort.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > > admin at lists.sourceforge.net] On Behalf Of Peters, Michael D.
> > > Sent: Wednesday, February 04, 2004 7:19 AM
> > > To: Snort-Users at ...1973... Sourceforge. Net (E-mail)
> > > Subject: [Snort-users] Port scans not showing up in ACID.
> > >
> > > I have portscan traffic identified in my logs but I don't have it
> > > registered
> > > in the ACID %meter on the home page. I'm working with the current
> > snort
> > > 2.1.0 snapshot. Is there some threshold parameter of some
> > configuration
> > > that
> > > will help display this portscan activity?
> > >
> > > Best regards,
> > >
> > > Michael D. Peters
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > The SF.Net email is sponsored by EclipseCon 2004
> > > Premiere Conference on Open Tools Development and Integration
> > > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > > http://www.eclipsecon.org/osdn
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and Integration
> > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > http://www.eclipsecon.org/osdn
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > This message (including any attachments) contains confidential
> > information intended for a specific individual and purpose,
> > and is protected by law.  If you are not the intended recipient,
> > you should delete this message and are hereby notified that any
> > disclosure,copying, or distribution of this message, or the taking
> > of any action based on it, is strictly prohibited.
> >
> >
> >
> > -------------------------------------------------------
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and Integration
> > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > http://www.eclipsecon.org/osdn
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> This message (including any attachments) contains confidential
> information intended for a specific individual and purpose,
> and is protected by law.  If you are not the intended recipient,
> you should delete this message and are hereby notified that any
> disclosure,copying, or distribution of this message, or the taking
> of any action based on it, is strictly prohibited.
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list