November 20th, 2003, 01:15
I really have no idea what happened, but now I'm not picking up portscans with a sguil setup. It seems to be picking up other types of intrusion, but not portscans. Barnyard doesn't have any trouble seeing these intrusions, and seems to be dropping data off who knows where flawlessly. No DB errors or anything. Just usual barnyard activity.

So I change the hostnames in sensor_agent.tcl in every way possible. No go. No data being moved. Next I check snort.conf to make sure things are going where they should. Everything was fine there. So I do various portscans in hopes that something would happen. Nope. I then turn off barnyard, and do another, check /snort_data/portscans and /snort_data/ssn_logs. Nothing.

Any ideas? :?

November 20th, 2003, 01:41
Ok. Found part of the problem. I checked /tmp, and there were a bunch of portscan, and session files sitting there. So I drop the portscan files in /snort_data/portscan. Sensor_agent.tcl sucks them right up, and now they can be veiwed. What exactly is suppose to move them from the /tmp? Looks like the only thing left.

Nevermind. Got it. A little confusion in the sensor_agent and snort.conf. :P