[Snort-users] Portscans not displayed in ACID?
Peters, Michael D.
Michael.Peters at ...9763...
Wed Jan 21 05:48:01 EST 2004
Could someone please advise me on what it takes to get portscan traffic to
show up in the ACID front page bar graph?
I have portscan data showing up in the current alert data just not in the
opening page bar graph.
snort] spp\_portscan: PORTSCAN DETECTED from 18.104.22.168 (THRESHOLD 5
connections exceeded in 0 seconds)
These are the configuration parameters in the snort.conf file:
preprocessor flow: stats_interval 300 hash 1
preprocessor portscan: 22.214.171.124/27 5 6
preprocessor stream4: keepstats, detect_scans, detect_state_problems,
preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
server-watchnet [126.96.36.199/27] \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 14400 \
server-scanner-limit 4 \
scanner-sliding-window 20 \
scanner-sliding-scale-factor 0.50 \
scanner-fixed-threshold 15 \
scanner-sliding-threshold 40 \
scanner-fixed-window 15 \
scoreboard-rows-scanner 30000 \
src-ignore-net [172.16.0.0/16] \
dst-ignore-net [10.0.0.0/30] \
alert-mode once \
output-mode msg \
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=username password=password
I get /var/snort/portscan/snort.portscan logging just fine. It seems that I
just have some configuration issue causing this.
Any assistance would be appreciated.
Michael D. Peters
More information about the Snort-users