[Snort-users] Unified Logging - BASE - Portscans

Lay, James james.lay at ...15009...
Mon Jul 25 17:59:39 EDT 2011


Hi Michael,

Now that's odd...my sfportscan line:

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
{ low } logfile { portscan.log }

And a tail of my portscan.log:

Time: 07/25-06:37:31.148528
event_id: 750
92.126.55.42 -> external.ip (portscan) UDP Portscan
Priority Count: 45
Connection Count: 86
IP Count: 5
Scanner IP Range: 74.50.52.136:92.126.55.42
Port/Proto Count: 5
Port/Proto Range: 6881:44898


I'm betting this is a different format from 2009's sfportscan?  I dunno
:(

James

> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...9077...]
> Sent: Monday, July 25, 2011 3:23 PM
> To: Lay, James; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
> 
> James,
> 
> Thanks for taking a look. I know there a LOT of users on all platforms
still
> using BASE as their console. I was talking to Jason and he tells me
that
> when unified2 logging is used, all alerts go into the unified log
file, and
> I'm assuming that includes portscans.
> 
> Seems someone would have came up with a solution to view portscans in
the
> BASE console using unified logging.
> 
> The below is used in order for BASE to grab the portscans, at least it
> worked with 'output database':
> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
{ low
> } logfile { portscan.log }
> 
> When the above ' preprocessor sfportscan:' is used with unified
logging all
> it does is create the portscan.log file and never injects portscans
into the
> log file.
> 
> I'm not even real sure if the ' preprocessor sfportscan:' is even
needed
> using unified logging method, and I'm not real sure how to turn
portscans on
> wnen using unified2 logging:
> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
{ low
> }
> 
> And will the above log portscans to the unified log file?
> 
> Kindest regards,
> Michael...
> 
> 
> -----Original Message-----
> From: Lay, James [mailto:james.lay at ...15009...]
> Sent: Monday, July 25, 2011 3:29 PM
> To: Michael Steele; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
> 
> > -----Original Message-----
> > From: Michael Steele [mailto:michaels at ...9077...]
> > Sent: Friday, July 22, 2011 9:13 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Unified Logging - BASE - Portscans
> >
> > I noticed that moving from output database to unified logging that
> portscans
> > are no longer displayed in the BASE console.
> >
> > Is there a solution to get this feature back to working in BASE?
> >
> > Kindest regards,
> > Michael...
> 
> Michael, FWIW I tried in vain to get this to fly at home...I have the
> portscan.log file being created as well as pointing to the right spot
in
> base_conf.php, but nothing shows up.  I suspect it's a difference in
the
> file format from the time BASE was made.  I'm sure an enterprising
soul
> could make the mods to the php files, but that wouldn't be me ;)  For
now I
> do without portscan info...BASE gives me what I need without.
> 
> James
> 
>
------------------------------------------------------------------------
----
> --
> Storage Efficiency Calculator
> This modeling tool is based on patent-pending intellectual property
that has
> been used successfully in hundreds of IBM storage optimization engage-
> ments, worldwide.  Store less, Store more with what you own, Move data
to
> the right place. Try It Now!
> http://www.accelacomm.com/jaw/sfnl/114/51427378/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation
> 





More information about the Snort-users mailing list