Snort mailing list archives

alerts with "[Xref => arachnids" tag bunched together in Snort alert file

From: "murcsu murcsu () mail com" <murcsu () mail com>
Date: Thu, 10 Oct 2002 12:21:25 -0500

I searched the archives but didn't see any mention of this.

Since I upgraded to Snort 1.9, the alerts with the "[Xref => arachnids" 
tag are bunched together without a blank line separating them.

[**] [1:566:3] POLICY PCAnywhere server response [**]
[Classification: Misc activity] [Priority: 3] 
10/09-17:37:23.059980 a.b.c.d:44100 -> w.x.y.z:5632
UDP TTL:116 TOS:0x0 ID:15491 IpLen:20 DgmLen:30
Len: 10
[Xref => arachnids 239]
[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3] 
10/09-17:40:11.503608 a.b.c.d -> w.x.y.z
ICMP TTL:49 TOS:0x0 ID:38604 IpLen:20 DgmLen:84
Type:8  Code:0  ID:7693   Seq:59926  ECHO

The alerts without the Xref tag display with whitespace between them.

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
10/09-23:22:12.196847 a.b.c.d:4876 -> w.x.y.z:80
TCP TTL:117 TOS:0x0 ID:39095 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x48142058  Ack: 0x71F0399B  Win: 0x2238  TcpLen: 20
 
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
10/09-23:22:12.259297 a.b.c.d:4888 -> w.x.y.z:80
TCP TTL:117 TOS:0x0 ID:44471 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x48198BD7  Ack: 0x71F0FC90  Win: 0x2238  TcpLen: 20

SnortSnarf apparently uses the whitespace as a delimiter, so it will 
display a group of alerts bunched together as a single alert.

Has anyone else run into this problem?

My sensors are running OpenBSD 3.0.  Snort 1.9 was built from source.  
My reporting machine is running SnortSnarf-020516.1 on Solaris 8.  
Snort 1.9 was built from source.

My Snort command:
/usr/local/bin/snort -c /root/snort/snort.conf -h w.x.y.z/24 -i \
fxp1 -A full -b -D

My SnortSnarf command:
/usr/local/bin/snortsnarf.pl -d $DMZ/10/10/ -ldir \
https://reporter/dmz/2002/10/10/ -homenet w.x.y.z/24 $DMZ/10/10/alert

Thanks.
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

"Free price comparison tool gives you the best prices and cash back!"
http://www.bestbuyfinder.com/download.htm



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

alerts with "[Xref => arachnids" tag bunched together in Snort alert file murcsu murcsu () mail com (Oct 10)
- Re: alerts with "[Xref => arachnids" tag bunched together in Snort alert file Lawrence Reed (Oct 10)