[Snort-users] portscan events not showing up in base

John Newman jnn at ...13788...
Tue May 23 09:58:07 EDT 2006


Woops...

the portscan2 module should've read, and now does read

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12, port_limit 25, timeout 3, log portscan2.log

I keep log files for the two portscan preprocessors that I rotate quite
frequently (every time they hit 20 megs) with some perl code I wrote,
just in case I need more info than the DB gives me (in this case it's
been helpful since I'm getting no portscan info from the db :)

--
john

On Tue, May 23, 2006 at 11:52:37AM -0500, John Newman wrote:
> preprocessor portscan: $HOME_NET 25 3 portscan.log
> preprocessor portscan-ignorehosts: XX.XX.XX.XX/XX
> 
> preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12, po
> rt_limit 25, timeout 3
> preprocessor portscan2-ignorehosts: XX.XX.XX.XX/XX
> preprocessor portscan2-ignoreports-from: 25
> preprocessor portscan2-ignoreports-to: 25
> 
> 
> Replace the XX.XX's with my network addresses.
> 
> 
> thanks,
> 
> --
> John
> 
> On Tue, May 23, 2006 at 12:07:30PM -0400, Joel Esler wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > What is your portscan line from your snort.conf file?
> > 
> > Joel
> > 
> > John Newman wrote:
> > > Hello,
> > > 
> > > I'm using snort 2.4.4 but not sfportscan, rather the older portscan and
> > > portscan2 modules.  I've just realized that, although portscans are
> > > being detected just fine, they aren't being propagated through barnyard
> > > into the base database.  
> > > 
> > > e.g.
> > > 
> > > select * from acid_event where sig_name like '%portscan%' and timestamp >
> > > '2006-05-01 00:00:00';
> > > 
> > > returns nothing
> > > 
> > > If I change the date portion to sometime last month, before I switched
> > > from sfportscan, I get all sorts of results.   Does anyone have any clue
> > > what might be causing this?
> > > 
> > > thanks,
> > > 
> > 
> > - --
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (Darwin)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > 
> > iD8DBQFEczNBKbCSyXHckt4RAqruAKCmakaXNUM6eLp+AknGUyXiXffhAgCeO6OI
> > KYB1aZzD/x8WBjH/RXSrWJE=
> > =Eu41
> > -----END PGP SIGNATURE-----
> 
> -- 
> John Newman
> Systems Administrator, WebXess Inc.
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
John Newman
Systems Administrator, WebXess Inc.




More information about the Snort-users mailing list