[Snort-users] Unified Logging - BASE - Portscans

Michael Steele michaels at ...9077...
Mon Jul 25 18:45:25 EDT 2011


James,

My portscan.log is 0 bytes. If I turn unified logging off, and turn the
output database plugin on, the portscan.log file will populated with
portscan alerts.

This is strange, so you have unified logging turned on and you are receiving
data into the portscan.log file? Can you verify that it's really working by
stopping the snort service deleting the file and restarting the snort
service to see if alerts will continue to populate the portscan .log file?

Kindest regards,
Michael...

-----Original Message-----
From: Lay, James [mailto:james.lay at ...15009...] 
Sent: Monday, July 25, 2011 6:00 PM
To: Michael Steele; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Unified Logging - BASE - Portscans

Hi Michael,

Now that's odd...my sfportscan line:

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
low } logfile { portscan.log }

And a tail of my portscan.log:

Time: 07/25-06:37:31.148528
event_id: 750
92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
Connection Count: 86 IP Count: 5 Scanner IP Range: 74.50.52.136:92.126.55.42
Port/Proto Count: 5 Port/Proto Range: 6881:44898


I'm betting this is a different format from 2009's sfportscan?  I dunno :(

James

> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...9077...]
> Sent: Monday, July 25, 2011 3:23 PM
> To: Lay, James; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
> 
> James,
> 
> Thanks for taking a look. I know there a LOT of users on all platforms
still
> using BASE as their console. I was talking to Jason and he tells me
that
> when unified2 logging is used, all alerts go into the unified log
file, and
> I'm assuming that includes portscans.
> 
> Seems someone would have came up with a solution to view portscans in
the
> BASE console using unified logging.
> 
> The below is used in order for BASE to grab the portscans, at least it 
> worked with 'output database':
> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
{ low
> } logfile { portscan.log }
> 
> When the above ' preprocessor sfportscan:' is used with unified
logging all
> it does is create the portscan.log file and never injects portscans
into the
> log file.
> 
> I'm not even real sure if the ' preprocessor sfportscan:' is even
needed
> using unified logging method, and I'm not real sure how to turn
portscans on
> wnen using unified2 logging:
> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
{ low
> }
> 
> And will the above log portscans to the unified log file?
> 
> Kindest regards,
> Michael...
> 
> 
> -----Original Message-----
> From: Lay, James [mailto:james.lay at ...15009...]
> Sent: Monday, July 25, 2011 3:29 PM
> To: Michael Steele; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
> 
> > -----Original Message-----
> > From: Michael Steele [mailto:michaels at ...9077...]
> > Sent: Friday, July 22, 2011 9:13 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Unified Logging - BASE - Portscans
> >
> > I noticed that moving from output database to unified logging that
> portscans
> > are no longer displayed in the BASE console.
> >
> > Is there a solution to get this feature back to working in BASE?
> >
> > Kindest regards,
> > Michael...
> 
> Michael, FWIW I tried in vain to get this to fly at home...I have the 
> portscan.log file being created as well as pointing to the right spot
in
> base_conf.php, but nothing shows up.  I suspect it's a difference in
the
> file format from the time BASE was made.  I'm sure an enterprising
soul
> could make the mods to the php files, but that wouldn't be me ;)  For
now I
> do without portscan info...BASE gives me what I need without.
> 
> James
> 
>
------------------------------------------------------------------------
----
> --
> Storage Efficiency Calculator
> This modeling tool is based on patent-pending intellectual property
that has
> been used successfully in hundreds of IBM storage optimization engage- 
> ments, worldwide.  Store less, Store more with what you own, Move data
to
> the right place. Try It Now!
> http://www.accelacomm.com/jaw/sfnl/114/51427378/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation
> 







More information about the Snort-users mailing list