Re: spp_portscan and database schema

[Erek Adams <erek () theadamsfamily net>]

On 18 Jul 2002, Florin Andrei wrote:

> Are there any plans to change the way the alerts are sent to the
> database in regard to spp_portscan?
>
> I'm looking at portscan.log and i'd like to get that kind of information
> from the database without too many twists.
> Of course, if i'd run Snort in log mode, i think i'd have enough data to
> do that. But i'm running it in the alert mode, and log mode is not
> really an option (too much traffic).
> It would be nice if spp_portscan would suddenly switch to "log mode"
> once it detects a portscan, and revert back to alert. Or something like
> that, i'm not sure how to explain.
> To put it dumbly, "i want portscan.log in the database". :-)

Covered in your Handy-Dandy FAQ pages!

        http://acidlab.sourceforge.net/acid_faq.html#faq_b7

Now, _WHY_ do you have to do it that way?

        http://www.theadamsfamily.net/~erek/snort/logging_methods.txt

Will it change?  Sure!  Everything changes.  :)

Seriously, spp_portscan2 is being worked on in the 1.9dev branch.  That will
make quite a few changes to the way portscans are handled, so don't expect
things to remain the same. :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users