Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portscans in enterprise environment

From: Bob Dehnhardt <bob.dehnhardt () trinet com>
Date: Tue, 21 Jan 2003 15:25:17 -0800
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okay, if I understand things properly (and there's a good chance I don't -
feel free to correct me), the portscan2 preprocessor will only log to a
file, not to a database. And ACID will only read the portscan data from one
file.

Assuming this is correct, how are people in enterprise environments handling
their portscan detection? I'm running Snort 1.9.0 on RedHat 7.3 with ACID
0.9.23b and SnortCenter 0.9.6. I've got 11 sensors scattered across 3 sites,
and want to have portscan data from all of our external-facing sensors. My
initial thought was to scp the logs from the various sensors, and cat them
together into a single file for ACID to read, but wanted to check with the
list before I reinvent the wheel. Also, I didn't want to lose track of which
sensor was reporting the scan (yeah, I should be able to infer it from the
traffic, but that's a little hard to sort on).

Thanks....

- -     Bob

Bob Dehnhardt
IT Operations Manager - Reno
(775) 327-6407 
(775) 232-2820 cell
(510) 352-6480 fax
bob.dehnhardt () trinet com
PGP Key ID: 0xEA0E6BAD

TriNet
Paperless HR  Total Service
www.trinet.com 

The contents of this email are the property of TriNet Group, Inc. and may be
confidential or legally privileged.  If you received this message in error
or are not the intended recipient, you should destroy the email message and
any attachments or copies, and you are prohibited from retaining,
distributing, disclosing or using any information contained herein.  Please
inform us of the erroneous delivery by return email.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPi3W5IDecwvqDmutEQLs+wCeIywZ6uCiipwhcwH9Uq+WK1CdDX0An0rw
1i5g/219MeCFbuHOWsuhHyT4
=XKZQ
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: