Portscan and Spade alerts are not showing up?
Most likely this is due to the Snort database plug-in being configured improperly. The portscan pre-processor is hard coded to output to the “alert” logging facility; it will only write to those output plug-ins registered to “alert” logging. However, the default configuration for the database plug-in is to register itself as a “log” output facility. Sample DB plug-in configuration for logging portscans (Note the “alert”) output database: alert, mysql, user=snort, dbname=snort_log host=localhost password=foo Even with this configuration, only the occurrence of portscan (or spade) event will be logged to the database. The specific ports involved will not be stored. This port information is only available in the portscan log file. Logging the individual ports is currently not possible in snort due to an architectural limitation: pre-processors cannot pass data to the output plug-in. ACID provides a limited solution to this issue by providing the capability to browse a single portscan.log
