Snort mailing list archives
truncated portscan alerts with unified2 output
From: ScottO <skippylou () gmail com>
Date: Fri, 10 Sep 2010 11:06:49 -0400
Curious if anyone has seen this. Before, on alert_full: [**] [122:19:0] (portscan) UDP Portsweep [**] [Priority: 3] 08/12-15:30:29.447556 192.168.1.150 -> 192.168.2.165 PROTO:255 TTL:0 TOS:0xC0 ID:17190 IpLen:20 DgmLen:159 After, on unified2: [**] [122:19:0] portscan: UDP Portsweep [**] 09/09-10:15:28.956109 All are running the same version of Snort (2.8.6) and Barnyard2 (2.1.8). The unified2 line in snort.conf: output unified2: filename /var/log/snort_unified2.log, limit 128 Running barnyard2 as: /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log -f snort_unified2.log Barnyard2 also has config options for all the sid and generation maps, classification.config, reference.config. Anyone with any thoughts on this? Thanks, scott
------------------------------------------------------------------------------ Automate Storage Tiering Simply Optimize IT performance and efficiency through flexible, powerful, automated storage tiering capabilities. View this brief to learn how you can reduce costs and improve performance. http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- truncated portscan alerts with unified2 output ScottO (Sep 10)