Snort mailing list archives
snort 2.0: is icmp type missing from syslog format?
From: Michael Scheidell <scheidell () secnap net>
Date: Mon, 5 May 2003 08:35:50 -0400 (EDT)
Is the icmp type and code missing from the snort 2.0 syslog format? Is it that way be design? Can I beg for it to be put in? the 'source and destination' ports exits for tcp and ucp, and for cvs for barnyard, I note, that even if the format is different (doesn't have a ip:port), it does have the icmp code recorded (the "8,0") "ICMP","2003-01-19 04:35:01",80.129.248.131,,xxx.xxx.xxx.xxx,,8,0,117,1,1,96335,96 335 May 5 06:01:08 scanner snort: [1:499:3] ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: <fxp1> {ICMP} 193.221.47.96 -> xxx.xxx.xxx.xxx By looking at what was logged in mysql, I see that the ICMP type code is (8) Echo Request with code 0 Should not at least the 8 be recorded? like this? May 5 06:01:08 scanner snort: [1:499:3] ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: <fxp1> {ICMP} 193.221.47.96:8 -> xxx.xxx.xxx.xxx:0 (ie, record the icmp type in the src"(port) location and icmp code in the 'dest'(port) location) note the port source and dest for udp (and tcp) exists for tcp and ucp May 5 07:02:37 scanner snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: <fxp1> {UDP} 203.121.69.114:2051 -> xxx.xxx.xxx.xxx:1434 -- Michael Scheidell SECNAP Network Security Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.0: is icmp type missing from syslog format? Michael Scheidell (May 05)