Portscan is a Snort plug-in that works seamlessly with Logcheck to deliver a comprehensive security solution for network administrators. This tool is designed to maximize the capabilities of Snort and provide optimal protection against port scans.
As an add-on tool for Snort and Logcheck, the Portscan plug-in (also known as "portscan") effectively monitors your Snort log file by conducting port scans based on certain keywords. Note that this program requires both Nmap and Snort. Additionally, if you want the tool to operate automatically, Logcheck is also necessary for installation. It's important to keep in mind that for the time being, the Portscan plug-in relies heavily on Logcheck. In the future, the tool is expected to be built to run as a daemon.
To use the Portscan plug-in, make sure that Snort is set to log to syslog and that you know the specific file it's logging to. The contents of this file should resemble the following example: "Jul 6 18:34:00 thqms3 snort: IDS126/x11_Outgoing_Xterm: 212.30.119.109:6000 -> 63.80.88.42:33248."
To begin installation, run "install.sh." After installation, you can edit the Portscan configuration file located in /etc/portscan, as well as the keywords file. After making any necessary changes, add the following lines into your logcheck.sh file: "/usr/sbin/portscan.pl & cat $TMPDIR/checkoutput.$$ > $TMPDIR/portscan.log." This will update and customize your logcheck.sh file.
Version 0.0.2a: N/A