[Snort-users] Portscans not displayed in ACID?

Peters, Michael D. Michael.Peters at ...9763...
Wed Jan 21 05:48:01 EST 2004


Could someone please advise me on what it takes to get portscan traffic to
show up in the ACID front page bar graph?

I have portscan data showing up in the current alert data just not in the
opening page bar graph.

For example:
snort] spp\_portscan: PORTSCAN DETECTED from 68.15.238.162 (THRESHOLD 5
connections exceeded in 0 seconds)
  
These are the configuration parameters in the snort.conf file:

preprocessor flow: stats_interval 300 hash 1
preprocessor portscan: 68.16.185.128/27 5 6
/var/snort/portscan/snort.portscan

preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble

preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [68.16.185.128/27] \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [172.16.0.0/16] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on

output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=username password=password
dbname=snort=localhost sensor_name=HOME

I get /var/snort/portscan/snort.portscan logging just fine. It seems that I
just have some configuration issue causing this.

Any assistance would be appreciated.

Best regards,

Michael D. Peters 





More information about the Snort-users mailing list