[Snort-users] sfportscan output to log / Barnyard2 processing

Brad Turnbough brad.turnbough at ...11827...
Sun Jun 3 14:40:14 EDT 2012


{{Disclosure -- I know this isn't 100% Snort related, but I don't have any
other resource to turn to.}}


Hi All,

I have snort logging portscans to /var/log/snort/portscan.log.  I've
verified that scans are getting logged.

What I need to do is to get that information (I think) converted to
unified2 and read into the MySQL database using Barnyard2.

Other test events are logged to unified2 log files successfully (and
barnyard2 picks them up and logs them to MySQL), I just think that the
sfportscan module needs to be told to log to unified2 as well.


Can someone please assist me in getting that accomplished?

Snort Version 2.9.2.3
Barnyard2 Version 2.1.9


Example of /var/log/snort/portscan.log:

Time: 06/03-13:07:23.605810
event_ref: 0
MACADDRESS_SUBSTITUTED -> ff02::c (portscan) UDP Filtered Portsweep
Priority Count: 0
Connection Count: 30
IP Count: 5
Scanned IP Range: MACADDRESS_SUBSTITUTED
Port/Proto Count: 5
Port/Proto Range: 547:1900

snort.conf:
preprocessor sfportscan: proto  { all } memcap { 10000000 } scan_type { all
} sense_level { medium } logfile { /var/log/snort/portscan.log }

barnyard2.conf:
output database: alert, mysql, user=snort dbname=snorby
password=PASSWORD_SUBSTITUTED host=localhost
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120603/dd740669/attachment.html>


More information about the Snort-users mailing list