[Snort-users] Unified Logging - BASE - Portscans

Michael Steele michaels at ...9077...
Mon Jul 25 17:23:19 EDT 2011


James,

Thanks for taking a look. I know there a LOT of users on all platforms still
using BASE as their console. I was talking to Jason and he tells me that
when unified2 logging is used, all alerts go into the unified log file, and
I'm assuming that includes portscans.

Seems someone would have came up with a solution to view portscans in the
BASE console using unified logging.

The below is used in order for BASE to grab the portscans, at least it
worked with 'output database':
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low
} logfile { portscan.log }

When the above ' preprocessor sfportscan:' is used with unified logging all
it does is create the portscan.log file and never injects portscans into the
log file.

I'm not even real sure if the ' preprocessor sfportscan:' is even needed
using unified logging method, and I'm not real sure how to turn portscans on
wnen using unified2 logging:
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low
}

And will the above log portscans to the unified log file?

Kindest regards,
Michael...


-----Original Message-----
From: Lay, James [mailto:james.lay at ...15009...] 
Sent: Monday, July 25, 2011 3:29 PM
To: Michael Steele; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Unified Logging - BASE - Portscans

> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...9077...]
> Sent: Friday, July 22, 2011 9:13 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Unified Logging - BASE - Portscans
> 
> I noticed that moving from output database to unified logging that
portscans
> are no longer displayed in the BASE console.
> 
> Is there a solution to get this feature back to working in BASE?
> 
> Kindest regards,
> Michael...

Michael, FWIW I tried in vain to get this to fly at home...I have the
portscan.log file being created as well as pointing to the right spot in
base_conf.php, but nothing shows up.  I suspect it's a difference in the
file format from the time BASE was made.  I'm sure an enterprising soul
could make the mods to the php files, but that wouldn't be me ;)  For now I
do without portscan info...BASE gives me what I need without.

James

----------------------------------------------------------------------------
--
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that has
been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to
the right place. Try It Now!
http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list