Woops...
the portscan2 module should've read, and now does read
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12,
port_limit 25, timeout 3, log portscan2.log
I keep log files for the two portscan preprocessors that I rotate quite
frequently (every time they hit 20 megs) with some perl code I wrote,
just in case I need more info than the DB gives me (in this case it's
been helpful since I'm getting no portscan info from the db :)
--
john
On Tue, May 23, 2006 at 11:52:37AM -0500, John Newman wrote:
preprocessor portscan: $HOME_NET 25 3 portscan.log
preprocessor portscan-ignorehosts: XX.XX.XX.XX/XX
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 12,
po
rt_limit 25, timeout 3
preprocessor portscan2-ignorehosts: XX.XX.XX.XX/XX
preprocessor portscan2-ignoreports-from: 25
preprocessor portscan2-ignoreports-to: 25
Replace the XX.XX's with my network addresses.
thanks,
--
John
On Tue, May 23, 2006 at 12:07:30PM -0400, Joel Esler wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What is your portscan line from your snort.conf file?
Joel
John Newman wrote:
Hello,
I'm using snort 2.4.4 but not sfportscan, rather the older portscan and
portscan2 modules. I've just realized that, although portscans are
being detected just fine, they aren't being propagated through barnyard
into the base database.
e.g.
select * from acid_event where sig_name like '%portscan%' and timestamp >
'2006-05-01 00:00:00';
returns nothing
If I change the date portion to sometime last month, before I switched
from sfportscan, I get all sorts of results. Does anyone have any clue
what might be causing this?
thanks,
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEczNBKbCSyXHckt4RAqruAKCmakaXNUM6eLp+AknGUyXiXffhAgCeO6OI
KYB1aZzD/x8WBjH/RXSrWJE=
=Eu41
-----END PGP SIGNATURE-----
--
John Newman
Systems Administrator, WebXess Inc.
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
John Newman
Systems Administrator, WebXess Inc.
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
