[Snort-users] portscan events not showing up in base

John Newman jnn at ...13788...
Tue May 23 09:53:09 EDT 2006


preprocessor portscan: $HOME_NET 25 3 portscan.log
preprocessor portscan-ignorehosts: XX.XX.XX.XX/XX

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12, po
rt_limit 25, timeout 3
preprocessor portscan2-ignorehosts: XX.XX.XX.XX/XX
preprocessor portscan2-ignoreports-from: 25
preprocessor portscan2-ignoreports-to: 25


Replace the XX.XX's with my network addresses.


thanks,

--
John

On Tue, May 23, 2006 at 12:07:30PM -0400, Joel Esler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> What is your portscan line from your snort.conf file?
> 
> Joel
> 
> John Newman wrote:
> > Hello,
> > 
> > I'm using snort 2.4.4 but not sfportscan, rather the older portscan and
> > portscan2 modules.  I've just realized that, although portscans are
> > being detected just fine, they aren't being propagated through barnyard
> > into the base database.  
> > 
> > e.g.
> > 
> > select * from acid_event where sig_name like '%portscan%' and timestamp >
> > '2006-05-01 00:00:00';
> > 
> > returns nothing
> > 
> > If I change the date portion to sometime last month, before I switched
> > from sfportscan, I get all sorts of results.   Does anyone have any clue
> > what might be causing this?
> > 
> > thanks,
> > 
> 
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFEczNBKbCSyXHckt4RAqruAKCmakaXNUM6eLp+AknGUyXiXffhAgCeO6OI
> KYB1aZzD/x8WBjH/RXSrWJE=
> =Eu41
> -----END PGP SIGNATURE-----

-- 
John Newman
Systems Administrator, WebXess Inc.




More information about the Snort-users mailing list