Re: Portscan traffic on ACID

[James Chong <james_cwy () yahoo com>]

I did some reading up and found that I need to
configure the portscan pre-processor.

I have some questions though:

1. Based on 6.16 of the FAQ, it says to use alert. NOw
in the snort.conf, I already have:
output database:log, mysql....................

Can I add another line using alert (total two lines)
or must I replace the log at the current line with
alert?

If the latter is chosen, will snort still log the
attacks?

I want snort to log all attacks and also be able to
detect port scans.

What is the best way to do this?

2. At var HOME_NET 
xxx.xxx.xxx.165/32,xxx.xxx.xxx.170/32,xxx.xxx.xxx.171/32,xxx.xxx.xxx.172/32

For the preprocessor config:
Can I just use $HOME_NET or do I need to repeat the IP
addresses:
preprocessor portscan: $HOME_NET 8 8
/var/log/snort/portscan.log


Please advise.
Thanks a lot
James


__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users