[Snort-users] sfportscan not writing to BASE

Richard Smollett yawningdogge at ...11827...
Tue Feb 11 15:59:14 EST 2014


After a portscan, my log file contains the following.

Time: 02/11-14:49:22.006688
event_ref: 0
172.28.61.88 -> 172.28.61.39 (portscan) TCP Portscan
Priority Count: 5
Connection Count: 5
IP Count: 1
Scanner IP Range: 172.28.61.88:172.28.61.88
Port/Proto Count: 5
Port/Proto Range: 23:993

So it looks like the preprocessor is working. But in the BASE interface,
portscan traffic remains 0%. My rules are reporting to BASE just fine.
Preprocessor config looks like this.

preprocessor sfportscan: proto  { all } scan_type { all } memcap { 10000000
} sense_level { low } logfile { /etc/snort/sfportscan.log }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140211/e5585d02/attachment.html>


More information about the Snort-users mailing list