truncated portscan alerts with unified2 output

[ScottO <skippylou () gmail com>]

Curious if anyone has seen this.

Before, on alert_full:

[**] [122:19:0] (portscan) UDP Portsweep [**]
[Priority: 3]
08/12-15:30:29.447556 192.168.1.150 -> 192.168.2.165
PROTO:255 TTL:0 TOS:0xC0 ID:17190 IpLen:20 DgmLen:159

After, on unified2:

[**] [122:19:0] portscan: UDP Portsweep [**]
09/09-10:15:28.956109

All are running the same version of Snort (2.8.6) and Barnyard2 (2.1.8).

The unified2 line in snort.conf:

output unified2: filename /var/log/snort_unified2.log, limit 128

Running barnyard2 as: /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d
/var/log -f snort_unified2.log

Barnyard2 also has config options for all the sid and generation maps,
classification.config, reference.config.

Anyone with any thoughts on this?

Thanks,

scott

------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful, 
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance. 
http://p.sf.net/sfu/dell-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users