[Snort-users] portscan logging to DB??

Michael Boman michael.boman at ...11827...
Sat Oct 30 11:00:51 EDT 2004


On Sat, 30 Oct 2004 10:32:02 -0700, Steven Crandell
<steven.crandell at ...11827...> wrote:
> Hi all,
> 
> I'm sure I'm just missing the doc that tells me how to do this, but
> try as I might, I can't find it.
> I'm trying to find a way to get the alerts generated by this line in
> my snort.conf
> "preprocessor portscan: xxx.xxx.xxx.xxx/24 5 7 /var/log/snort/alert"
> to log to the database in addition to the file specified.
> 
> I'm also wondering about the flow-portscan preprocessor output.
> I have: "output-mode msg"
> but does this mean that anything that the flow-portscan detects goes
> to the db or some other place?
> 
> It may be worth noting that I have these two lines in my conf also.
> output alert_fast: alert
> output database: log, mysql, user=<dbuser> password=<pass> dbname=<db>
> host=localhost
> 
> I'm not sure if one or the other of them becomes a default output
> method or something.  Any recommendations would be greatly
> appreciated.
> 
> thanks,

You are not mentioning what frontend you are using, but standard ACID
or plain snort doesn't store them in database. The only front-end know
of that stores portscan and session statistics in DB is Sguil
(www.sguil.net, and it's actually much more then just a front-end).

Disclaimer: I am listed as a developer at the sguil project

Best regards
 Michael Boman




More information about the Snort-users mailing list