Base not showing portscans

BASE-user
keith
2008-03-31
2013-06-03
  • keith

    keith - 2008-03-31

    I'm running base 1.3.9 and snort (cant remember the version) and base wont show any of my portscans. I've got snort setup to log it to a text file called portscans.log and when i open the log it has a bunch of entries. I've double checked the location and permissions but it still wont show up. Any suggestions?

     
    • Juergen Leising

      Juergen Leising - 2008-04-01

      Hello keith,

      an entry like this one in snort.conf:

      logfile { /var/log/snort/sfportscan.log }

      requires the following in base_conf.php, around line 238:

      /* Snort spp_portscan log file */
      $portscan_file = '/var/log/snort/sfportscan.log';

      Bye, bye

      Juergen

       
    • keith

      keith - 2008-04-01

      Yeah that's what i have. Is there a log file where i can look for maybe a clue on why it's not working?

      Thanks

       
    • keith

      keith - 2008-04-01

      Ok i looked around a little and found that the port scans are showing up in base (this is my first time using it), when i navigate to the base_stat_ipaddr.php file and click on port scans they show up. The dont show up on the main page though, it just says 0%.

      Thanks

       
    • keith

      keith - 2008-04-01

      Sorry, another update, It looks like it doesnt like the format of the portscan.log file. The file looks like this

      Time: 03/31-19:47:12.333574
      event_id: 23
      192.168.1.5 -> 192.168.1.20 (portscan) TCP Portscan
      Priority Count: 5
      Connection Count: 10
      IP Count: 1
      Scanner IP Range: 192.168.1.5:192.168.1.5
      Port/Proto Count: 11
      Port/Proto Range: 21:3389

      Is their something i need to change in snort to format it in a way that base can recognize it?

       
    • Juergen Leising

      Juergen Leising - 2008-04-05

      Hello Keith,

      right now, I do not know, what could be wrong.  But I do not think, that the format of the portscan file is wrong.  My own one does not look different.

      Do the portscan alerts show up, if you click at the number for all of the alerts?

      Bye, bye

      Juergen

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks