Re: Portscans in BASE

["Michael Steele" <michaels () winsnort com>]

This is all related to BASE. 

 

The master MySQL sensor is running BASE which is logging portscans to the
portscan.log file using the below.

 

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low
} logfile { portscan.log }

 

There are 6 slave sensors directing events to the above master sensor and
all is working fine. However I have no idea where the portscans are being
directed to from the slaves using the below.

 

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low
}

 

Do these portscan events get inserted into the database in some table that
is not readable by base using the above configuration setting?

 

If there was a possibility of sharing the log file on the master sensor
there is no source ID for the logged portscan event.

 

Maybe it is just not possible to process portscan events from remote
sensors?

 

WINSNORT.com Management Team Member

--

********************************************************

*     Since 2002 ~~ Visit http://www.winsnort.com

*      ~~ FREE Windows installation Tutorials ~~

*              ~~ FREE Support Forums ~~

* Snort: Open Source Network IDS - http://www.snort.org

********************************************************

 

From: Dorian ROSSE <dorianbrice () hotmail fr> 
Sent: Monday, July 15, 2019 2:26 AM
To: Michael Steele <michaels () winsnort com>
Subject: Re: [Snort-users] Portscans in BASE

 

If you can't use porscan from readme have you try porscan example from
manual snort html page about porscan? 

It could works, 

Télécharger  <https://aka.ms/ghei36> Outlook pour Android

 

  _____  

From: Snort-users <snort-users-bounces () lists snort org
<mailto:snort-users-bounces () lists snort org> > on behalf of Michael Steele
<michaels () winsnort com <mailto:michaels () winsnort com> >
Sent: Monday, July 15, 2019 3:22:01 AM
To: Snort-users () lists snort org <mailto:Snort-users () lists snort org> 
Subject: [Snort-users] Portscans in BASE 

 

For the master sensor that BASE resides on the default portscan detection is
configured:

 

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low
} logfile { portscan.log }

 

For the slave sensors the default portscan detection is configured:

 

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low
} 

 

Does anyone know where are the portscans are being directed to for the
slaves, and is BASE able to see them?

 

 

 

 

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette