[Snort-users] Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)

beenph beenph at ...11827...
Wed Jul 27 08:50:13 EDT 2011


On Wed, Jul 27, 2011 at 8:30 AM, James Lay <jlay at ...13475...> wrote:
> Interesting....and guess what...barnyard2 doesn't seem to log portscan
> data:
>
> Jul 26 20:34:39 gateway snort[4555]: [122:17:0] (portscan) UDP Portscan
> [Priority: 3] {PROTO:255} 205.171.2.25 -> my.ext.ip
>
> A search for 205.171.2.25 came up empty....I think we have our issue.
> Time to talk to firnsy mabye?
>

The only thing that barnyard2 is not logging should be
EXTRADATA events.

Now in barnyard2 1.10, the only issue i could see that would lead to
your portscan not being reported is the spooler cache mechanism that
will be removed in a future version since the spooler has been refactored.

You can find a version of barnyard2 without the spooler cache and with
spooler improvements @ https://github.com/binf/barnyard2.

Let us know if this fix whats you are observing.

Thanks
-elz




More information about the Snort-users mailing list