The port scan plug in for snort, or just portscan for short is intended to be used in conjunction with snort and logcheck. The tool will allow you to monitor your snort log file and then do port scans based upon certain keywords.
This program requires nmap and snort. If you want it to run automatically you will also need logcheck. Hopefully in the future this program will be built to run as a daemon and will no longer rely on logcheck. But for now use logcheck.
Make sure that Snort is set to log to syslog and that you know which syslog file it is logging to. The contents of the file will look like this :
Jul 6 18:34:00 thqms3 snort: IDS126/x11_Outgoing_Xterm: 18.104.22.168:6000 -> 22.214.171.124:33248
To install first run install.sh
After running install.sh you may edit the portscan.conf file in /etc/portscan and the keywords file. After making any necassary changes you will need to add the following lines into your logcheck.sh file
cat $TMPDIR/checkoutput.$$ > $TMPDIR/portscan.log
So your logcheck.sh file should now look like this (toward the bottom)