[Snort-users] sfportscan output to log / Barnyard2 processing

Jason Brvenik jbrvenik at ...1935...
Sun Jun 3 14:47:26 EDT 2012


Portscans cal already be logged to unified2. The problem is that it is
n overload of IPPROTO for lack of another option and the tools BY2
combined with the antiquated DB schema are unable to accommodate them.
I believe the BY2 folks are working on an update but until then there
really isn't a clean solution.



On Jun 3, 2012, at 2:43 PM, Brad Turnbough <brad.turnbough at ...11827...> wrote:

> {{Disclosure -- I know this isn't 100% Snort related, but I don't have any other resource to turn to.}}
>
>
> Hi All,
>
> I have snort logging portscans to /var/log/snort/portscan.log.  I've verified that scans are getting logged.
>
> What I need to do is to get that information (I think) converted to unified2 and read into the MySQL database using Barnyard2.
>
> Other test events are logged to unified2 log files successfully (and barnyard2 picks them up and logs them to MySQL), I just think that the sfportscan module needs to be told to log to unified2 as well.
>
>
> Can someone please assist me in getting that accomplished?
>
> Snort Version 2.9.2.3
> Barnyard2 Version 2.1.9
>
>
> Example of /var/log/snort/portscan.log:
>
> Time: 06/03-13:07:23.605810
> event_ref: 0
> MACADDRESS_SUBSTITUTED -> ff02::c (portscan) UDP Filtered Portsweep
> Priority Count: 0
> Connection Count: 30
> IP Count: 5
> Scanned IP Range: MACADDRESS_SUBSTITUTED
> Port/Proto Count: 5
> Port/Proto Range: 547:1900
>
> snort.conf:
> preprocessor sfportscan: proto  { all } memcap { 10000000 } scan_type { all } sense_level { medium } logfile { /var/log/snort/portscan.log }
>
> barnyard2.conf:
> output database: alert, mysql, user=snort dbname=snorby password=PASSWORD_SUBSTITUTED host=localhost
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list