Snort mailing list archives
RE: Why logging the attacked one?
From: Erickson Brent W KPWA <erickson () kpt nuwc navy mil>
Date: Fri, 30 Jan 2004 22:14:32 -0800
Hello Gabriel, If you run Snort from the command line, you can define logging relative to your home network by using the -h qualifier, for example: Snort -A fast -d -l log -h 200.231.0.0/16 -c snort.config You may also be able to accomplish the same result within the snort configuration file logging options. You can also find this information in the Snort manual and in provided Snort documentation. Best wishes, Brent Erickson -----Original Message----- From: Gabriel Moricz [mailto:gabriel () autofax com br] Sent: Friday, January 30, 2004 3:10 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Why logging the attacked one? Hello at all... First of all, thanks by not helped me in the answer that I had b4... But ok...I forgive u..hehe :-D Well..I will ask now... I am having a problem.. [**] MS-SQL Worm propagation attempt [**] 01/29-15:49:31.148746 64.63.254.192:0 -> 200.231.117.114:3128 TCP TTL:112 TOS:0x0 ID:676 IpLen:20 DgmLen:40 DF ******S* Seq: 0x3DE75 Ack: 0x0 Win: 0x200 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Looking at this alert my network is 200.231.117.114 and it logged creating a folder with this Ip and not with attacker ip.. How can I say to snort log and create the folder with the atacker ip name?? Thanks and I hope that some good heart help me this time... Gabriel Moricz ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fw: Why logging the attacked one? Gabriel Moricz (Jan 30)
- <Possible follow-ups>
- Why logging the attacked one? Gabriel Moricz (Jan 30)
- RE: Why logging the attacked one? Erickson Brent W KPWA (Jan 30)
- Why logging the attacked one? Gabriel Moricz (Jan 31)