Snort mailing list archives

RE: Log vs. Alert --end the confusion!

From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 13 Aug 2002 08:17:27 -0500

While we're talking about how preprocessors log packets, could someone help
me out with the stream4 preprocessor?  There are a number of seemingly
useful alerts that come out of it, such as the TTL evasion alerts, but when
I go to the log, it looks as if snort only logs the last packet or the one
that actually triggered the alert.  As a result, it is very difficult to go
back through and describe to the "attacker" or their ISP what the activity
was.  Obviously, the stream4 preprocessor had to have had all of the packets
go through it and remember that the TTL was 5 on packet A, 8 on B, and so
on.  Is it possible to get it to write out all the packets in the offending
stream?  This goes for all the alerts that come out of this preprocessor,
and not just the TTL one.

Thanks.

Jon

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]
Sent: Monday, August 12, 2002 5:04 PM
To: Steve Halligan
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Log vs. Alert --end the confusion!

Steve Halligan <giermo () geeksquad com> writes:

As an aside.  I would like to put my vote in for a single generic message
from portscan2.  As it is, the msg looks like this "Portscan detected from
a.b.c.d blah blah blah".  For those of us that use a database, this adds a
unique signature for each and every portscan.  In addition to clogging up
the signature table, it frustrates signature based queries.  Why put the

ip

in the message?  You can see it in the ip addr field anyway.  If you need

to

know the number of ports/hosts, you can look in the scan.log.


Yeah... This makes sense.  I'll add that.  Thanks for reminding me on
mail instead of IRC.



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Log vs. Alert --end the confusion! Steve Halligan (Aug 12)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 12)
- <Possible follow-ups>
- RE: Log vs. Alert --end the confusion! Williams Jon (Aug 13)
  - Re: Log vs. Alert --end the confusion! Chris Green (Aug 13)