[Snort-users] Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)
beenph at ...11827...
Wed Jul 27 09:02:44 EDT 2011
On Wed, Jul 27, 2011 at 8:50 AM, James Lay <jlay at ...13475...> wrote:
> Just confirmed.....with going direct to mysql from snort with no barnyard,
> I TOTALLY not only get a portscan entry, but also an "Open port: ****"
> (portscan) TCP Portscan: 21:49157
> (portscan) Open Port: 53
> But now I see I even see yon "Portscan Traffic (< 1%) on the BASE
> mainscreen. Nice sleuthing job Michael! I'll be sticking with direct to
> db from snort until this is fixed.
There is many reasons why you shouldn't use directly database output from snort.
The main reason is that any problems with the database would directly
hinder the ole detection process.
The second reason is that direct database output plugin will be
depricated in the future for the reason
mentionned above and other reasons.
Use the link on github i gave you and you should see your portscan
events being logged without an issue.
I am working on barnayrd2 with firnsy, the only reason this has not
made its way into 1.10 is because
there will be other changes that will be made when in the near future.
But it is perfectly stable and reliable, your call.
More information about the Snort-users