Snort mailing list archives
Portscan log file format
From: Joshua Polsky <jpolsky () cymtec com>
Date: Thu, 21 Apr 2011 21:01:49 +0000
I had a question dealing with this particular option in the snort.conf file. preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { high } scan_type { all } I am trying to determine if the logging method has changed for the portscans. Currently if I add a log file to this preprocessor, I get this format: Time: 04/13-15:29:41.660134 event_id: 6042 x.x.x.x -> x.x.x.x(portscan) UDP Filtered Portscan Priority Count: 0 Connection Count: 200 IP Count: 66 Scanner IP Range:x.x.x.x:x.x.x.x Port/Proto Count: 32 Port/Proto Range: 137:17500 I was looking up some information about an older preprocessor for portscan just entitled portscan and noticed that it was able to log packets to the portscan.log file as follows: Mar 25 23:05:46 192.168.100.20:60126 -> 10.10.117.13:751 SYN ******S* I was wondering if this type of format is still possible, or if I am able to get this similar information from the newer preprocessor. The reason I ask about this, is because we have a program that uses the information from the portscan and it was looking for this older format. Thanks for help anybody can provide.
------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan log file format Joshua Polsky (Apr 22)