Can snort output an alert for a portscan (sfPortscan) to syslog?

Posted by Jamie McNaught on Server Fault See other posts from Server Fault or by Jamie McNaught
Published on 2010-03-21T22:15:01Z Indexed on 2010/03/21 22:21 UTC
Read the original article Hit count: 536

Filed under:

snort

|

syslog

|

intrusion-detection

I've been working on this for too long now. I'm sure the answer should be obvious, but...

Snort manual: http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf lists two logging outputs on pg 39 (pg 40 according to Acrobat Reader) as: "Unified Output" and "Log File Output" which I am guessing the former refers to the "unified" output mode... which makes me think the answer is "No, snort cannot output alerts for detected portscans to syslog."

Config file I've been using is:

alert tcp any 80 -> any any (msg:"TestTestTest"; content: "testtesttest"; sid:123) preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         scan_type { all } \
                         sense_level { high } \
                         logfile { pscan.log }

(yes, very basic I know).

A simple nmap triggers output to the pscan.log

Can anyone confirm this? Or point out how I do this?

© Server Fault or respective owner

Related posts about snort

Snort: not logging anything

as seen on Server Fault - Search for 'Server Fault'
My site seems to be the target of quite a bit of probing over the last few months. In an attempt to get a better handle on this I installed SNORT on one of the machines that has external exposure. Something must not be installed correctly as I see lots of probing in /var/log/messages but snort isn't… >>> More
Snort/Barnyard2 Logging

as seen on Server Fault - Search for 'Server Fault'
I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my currrent setup. OS Scientific Linux 6 Snort Version 2.9.2.3 Barnyard2 Version 2.1.9 Snort command snort -c /etc/snort/snort… >>> More
snort analysis of wireshark capture

as seen on Server Fault - Search for 'Server Fault'
I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps… >>> More
Snort's problems in generating alert from Darpa 1998 intrusion detection dataset.

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi. I’m working on DARPA 1998 intrusion detection dataset. When I run snort on this dataset (outside.tcpdump file), snort don’t generate complete list of alerts. It means snort start from last few hours of tcpdump file and generate alerts about this section of file and all of packets in first hours… >>> More
Snort network instruction Mac OS X

as seen on Super User - Search for 'Super User'
I'm trying to learn network intrusion detection. When I try to launch Snort, in IDS mode, I get this message (I'm running Mac OS X): Initializing Network Interface en1 ERROR: OpenPcap() FSM compilation failed: syntax error PCAP command: snort Fatal Error, Quitting.. How can I fix this problem… >>> More

Related posts about syslog

WD MBWE II (White Strip Light) 2TB - unable to access data

as seen on Super User - Search for 'Super User'
I have a WD MBWE II (White Strip Light) 2TB - (WD20000H2NC-00) Was working fine until a few days ago. I guess there was a power failure and after that I am unable to access the 'Public' or the 'Download' folder anymore. I have been searching for answers everywhere but came up empty handed. Web… >>> More
Logs are written to *.log.1 instead of *.log

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
For some reason my log files are writing to the *.log.1 files instead of the *.log files, e.g. for my Postfix log files it is writing to /var/log/mail.log.1 and not /var/log/mail.log as expected. Same goes for mail.err. It looks like it's also doing it for auth.log and syslog. Here is a ls -lt snippet… >>> More
syslog-ng and nging logs to mysql

as seen on Server Fault - Search for 'Server Fault'
So couple of days ago I asked how to log php and nginx logs to centralized MySQL database, and m0ntassar gave a perfect answer :) cheer ! The problem I am facing now is that I can not seem to get it working. syslog-ng version: # syslog-ng --version syslog-ng 3.2.5 This is my nginx log format: log_format… >>> More
Python - retrieving info from a syslog file

as seen on Stack Overflow - Search for 'Stack Overflow'
Ive been asked to do a program using python for an assignment. Ive been given a syslog file and I have to find things out about it How do I find out how many attempts were made to login to the root account? Any advice would be highly appreciated as Im very new to python an completely lost! >>> More
How can i monitor syslog messages in c# console app with TCP

as seen on Stack Overflow - Search for 'Stack Overflow'
Heya, In my application, i need to monitor all messages sent by syslog. I've tried with UDP, but after one message, i didn't respond anymore (no error, just no heads up anymore). And setting up a tcp server isn't really the solution either i think. Can anyone guide me to a solution where i can log… >>> More