chris at ...6400...
Sun May 23 02:19:02 EDT 2004
I was hoping someone could clarify something about flow-portscan's alerting.
I'm using unified output w/mudpit.
From what i could gather reading the Snort docs, the flow-portscan module
uses the logging sub-system to send it's alerts when it is configured with
"output-mode pktkludge" (so it generates a fake pkt, i assume since unified
output cannot handle variable text in alert messages).
Since i have both logging and alert streams feeding into mudpit, i'm
wondering why i'm not getting anything out of flow-portscan?
gen-msg.map contains the SIDs for GID 121, and is also configured with
mudpit. Also, server-watchnet is configured for the network to be monitored.
Was hoping someone could explain the way it's supposed to work, in the case
of unified output?
More information about the Snort-users