Snort mailing list archives
Snort_stat.pl wierdness
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 1 Nov 2001 13:42:19 -0800 (PST)
Ok, after puttering with this for a while, I thought I'd see if anyone has any insight on this wierdness. It's damned odd, since this works just fine on the same box using snort 1.7 and an older version of snort_stat. With Snort Version 1.8.2-beta0 (Build 85) and # $Id: snort_stat.pl,v 1.15.2.6 2001/08/24 01:24:43 yenming Exp $ I grabbed 4 entries from my full alert file and placed them into a small file called testme. Then 'cat testme | ./new_snort_stat.pl'. Now, I would expect the normal output, but instead I get almost nothing: --- [erek@merf]/var/log/snort#cat testme | ./new_snort_stat.pl Subject: snort daily report The log begins from: :: The log ends at: :: Total events: 0 Signatures recorded: 0 Source IP recorded: 0 Destination IP recorded: 0 [...snip...] The distribution of attack methods =============================================== # of % attacks method =============================================== --- All of the stats show _nothing_. No alerts or anything. But--In the testme file, I have the following: --- [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26/01-18:40:47.967396 206.191.48.234:3006 -> 10.10.0.73:80 TCP TTL:106 TOS:0x4 ID:28063 IpLen:20 DgmLen:185 DF ***AP*** Seq: 0x47AC98A Ack: 0xD9FCC5DA Win: 0x2238 TcpLen: 20 [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26/01-18:40:48.217643 206.191.48.234:3045 -> 10.10.0.73:80 TCP TTL:106 TOS:0x4 ID:61599 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x47ACA94 Ack: 0xD9FDD3EB Win: 0x2238 TcpLen: 20 [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26/01-18:40:48.465891 206.191.48.234:3072 -> 10.10.0.73:80 TCP TTL:106 TOS:0x4 ID:21152 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x47ACB7F Ack: 0xD9FF05D3 Win: 0x2238 TcpLen: 20 [**] [1:515:2] MISC source port 53 to <1024 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/26/01-21:46:50.717413 129.250.35.250:53 -> 10.10.0.76:137 UDP TTL:246 TOS:0x0 ID:20975 IpLen:20 DgmLen:128 DF Len: 108 --- Anyone? Bueler? ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort_stat.pl wierdness Erek Adams (Nov 01)
- Re: Snort_stat.pl wierdness Skip Carter (Nov 01)
- Re: Snort_stat.pl wierdness Erek Adams (Nov 01)
- Re: Snort_stat.pl wierdness Skip Carter (Nov 01)