[Snort-users] portscan events not showing up in base
jnn at ...13788...
Tue May 23 09:53:09 EDT 2006
preprocessor portscan: $HOME_NET 25 3 portscan.log
preprocessor portscan-ignorehosts: XX.XX.XX.XX/XX
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12, po
rt_limit 25, timeout 3
preprocessor portscan2-ignorehosts: XX.XX.XX.XX/XX
preprocessor portscan2-ignoreports-from: 25
preprocessor portscan2-ignoreports-to: 25
Replace the XX.XX's with my network addresses.
On Tue, May 23, 2006 at 12:07:30PM -0400, Joel Esler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> What is your portscan line from your snort.conf file?
> John Newman wrote:
> > Hello,
> > I'm using snort 2.4.4 but not sfportscan, rather the older portscan and
> > portscan2 modules. I've just realized that, although portscans are
> > being detected just fine, they aren't being propagated through barnyard
> > into the base database.
> > e.g.
> > select * from acid_event where sig_name like '%portscan%' and timestamp >
> > '2006-05-01 00:00:00';
> > returns nothing
> > If I change the date portion to sometime last month, before I switched
> > from sfportscan, I get all sorts of results. Does anyone have any clue
> > what might be causing this?
> > thanks,
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
Systems Administrator, WebXess Inc.
More information about the Snort-users