Snort mailing list archives

RE: ACID Reporting and Portscans

From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Tue, 6 Aug 2002 14:48:17 -0400

You may already be doing this, so don't take offense if you have!  When you
see an alert for spp_portscan, and click on the IP address, you won't see
portscan data.  You will only see the data for that alert - and since the
portscan data isn't kept in the alert itself, it isn't shown here.  After
clicking on the IP address for which a portscan alert was generated, you
need to click on "Portscan Events" towards the top of the screen.  It's in
the middle of a list like:

all alerts with 68.15.1.134/32 as : source | destination |
source/destination
show: unique alerts   |   portscan events 
                          ^^^^^^^^^^^^^^^
Registry lookup (whois) in: ARIN | RIPE APNIC
External: DNS | whois | SamSpade

If you're already doing this and not getting data, you may want to check
permissions on your portscan.log file to make sure your apache user (or
equivalent) has read access.

HTH,

Mike

-----Original Message-----
From: Joe Giles [mailto:jgiles () joeman1 com]
Sent: Tuesday, August 06, 2002 12:08 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] ACID Reporting and Portscans

Probobly a simple setup issue, but I cant get any data from 
ACID's Portscan Traffic. I get data from my portscan 
preprocessor. I can generate a file 
/var/log/snort/portscan.log (Owned by root) and the file is 
working, and I have it set up in the acid_conf.php file, I 
have $portscan_file = "/var/log/snort/portscan.log"; set. 
But, Im not ever getting any port scan traffic. I can see 
different port scan information in the logs, but isnt it 
supposed to generate portscan spicific info?

Thanks

Joe Giles
jgiles () joeman1 com
AOL ID: mcigiles

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ACID Reporting and Portscans Joe Giles (Aug 06)
- <Possible follow-ups>
- RE: ACID Reporting and Portscans Cloppert, Michael (Aug 06)
- RE: ACID Reporting and Portscans Joe Giles (Aug 06)