[Snort-users] flow-portscan.

Chris Keladis chris at ...6400...
Sun May 23 02:19:02 EDT 2004


Hi all,

I was hoping someone could clarify something about flow-portscan's alerting.

I'm using unified output w/mudpit.

 From what i could gather reading the Snort docs, the flow-portscan module 
uses the logging sub-system to send it's alerts when it is configured with 
"output-mode pktkludge" (so it generates a fake pkt, i assume since unified 
output cannot handle variable text in alert messages).

Since i have both logging and alert streams feeding into mudpit, i'm 
wondering why i'm not getting anything out of flow-portscan?

gen-msg.map contains the SIDs for GID 121, and is also configured with 
mudpit. Also, server-watchnet is configured for the network to be monitored.

Was hoping someone could explain the way it's supposed to work, in the case 
of unified output?




Thanks,

Chris.





More information about the Snort-users mailing list