Snort mailing list archives
Re: Snort, ACID and portscan.log
From: "Roman Danyliw" <roman () danyliw com>
Date: Mon, 12 Aug 2002 10:24:36 -0400 (EDT)
I think you will have to do some scripting. See Question #B-7 of the ACID FAQ: http://acidlab.sourceforge.net/acid_faq.html Roman On Fri, 09 Aug 2002 17:07:06 -0400, Christopher Cook <crcook () oakland edu> wrote :
the alerts DO make it to the database. But if you click on the IP address that gives you the portscan information, and then click "portscan events" it wants a separate log file, it is unable to reference the file because the file is stored on the snort box itself. I have to physically copy the file (called portscan.log) which logs the actual events. It has been suggested to change the output database to log, but then I'll lose the alerts. Am I allowed to have one output do logs and another do alerts? The reason for the question is that snort did come up with portscan events. I went to click on the "portscan events" link and it came back with "cannot find $portscan_file" I went back to the snort box, transfered this one file, and it then worked, and I was able to put together that it was a portscan attack. Though I don't want to have to copy this file everytime. If snort can do it, cool. If not, then I may have to set up a batch file to do it for me. Chris Cook Security and Support Specialist Office of Information Technology Oakland University Dan Fiorito wrote:Your DB Output plugin should be changed to alert instead of log. Then it
should work, do note that acid considers all portscans as different alerts so if you are on a busy network you will have a lot of alerts to sort through.
-----Original Message----- From: Christopher Cook [mailto:crcook () oakland edu] Sent: Fri 8/9/2002 11:45 AM To: snort-users () lists sourceforge net Cc: Subject: [Snort-users] Snort, ACID and portscan.log I currently have Snort running on one box and doing all the spiffy mySQL logging to another centrally located machine. It's set to log alerts and does that just fine. Snort is set to log portscans and send them to a portscan file locally to the snort box. I didn't see any options in Snort to send the portscan file to the remote log server so that ACID can access it. Is there a way to send the file to the remote log server through Snort, or do I need to set a job to do it every night or so? Chris Cook Security and Support Specialist Office of Information Technology Oakland University ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, ACID and portscan.log Christopher Cook (Aug 09)
- <Possible follow-ups>
- Re: Snort, ACID and portscan.log Christopher Cook (Aug 09)
- Re: Snort, ACID and portscan.log Roman Danyliw (Aug 12)