Snort mailing list archives
RE: Log vs. Alert --end the confusion!
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 13 Aug 2002 08:17:27 -0500
While we're talking about how preprocessors log packets, could someone help me out with the stream4 preprocessor? There are a number of seemingly useful alerts that come out of it, such as the TTL evasion alerts, but when I go to the log, it looks as if snort only logs the last packet or the one that actually triggered the alert. As a result, it is very difficult to go back through and describe to the "attacker" or their ISP what the activity was. Obviously, the stream4 preprocessor had to have had all of the packets go through it and remember that the TTL was 5 on packet A, 8 on B, and so on. Is it possible to get it to write out all the packets in the offending stream? This goes for all the alerts that come out of this preprocessor, and not just the TTL one. Thanks. Jon -----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] Sent: Monday, August 12, 2002 5:04 PM To: Steve Halligan Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Log vs. Alert --end the confusion! Steve Halligan <giermo () geeksquad com> writes:
As an aside. I would like to put my vote in for a single generic message from portscan2. As it is, the msg looks like this "Portscan detected from a.b.c.d blah blah blah". For those of us that use a database, this adds a unique signature for each and every portscan. In addition to clogging up the signature table, it frustrates signature based queries. Why put the
ip
in the message? You can see it in the ip addr field anyway. If you need
to
know the number of ports/hosts, you can look in the scan.log.
Yeah... This makes sense. I'll add that. Thanks for reminding me on mail instead of IRC. ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log vs. Alert --end the confusion! Steve Halligan (Aug 12)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 12)
- <Possible follow-ups>
- RE: Log vs. Alert --end the confusion! Williams Jon (Aug 13)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 13)