Snort mailing list archives
Re: blocked instead of alert
From: beenph <beenph () gmail com>
Date: Tue, 7 May 2013 12:51:30 -0400
On Tue, May 7, 2013 at 12:33 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 5/7/2013 04:22, Balla István wrote:yes, it is unified2. the last piece of (Event) is the *blocked:1.*right... i see that... that is what u2spewfoo is outputting...
While you can help Waldo, here i think you bring a bit of confusion to the thread. The initial question from Balla is, why event 1 is considered as blocked while the other is not considered as blocked. While both events have the same src ip dest ip src port dest port. My wild guess would be that its because it could be triggering of the same packet and the engine only block once but alert twice, but to be sure mabey Balla should provide a pcap file with his configuration that lead to the generation of those events and mabey someone @sf could answer better at this point.
i'm asking what a blocked entry looks like in the /raw/ unified2 log file... that is the key to figuring out and understanding why it is being shown by u2spewfoo as a block...
Blocked is a unified2 structure field and its part of every unified2 event type, its set by the engine, thus u2spewfoo does not makeup "block", its only displaying it.
correct... i do not think that is normal snort output... it is what u2spewfoo has output...
See above waldo.
should logged events look different?not if you are using u2spewfoo, AFAIK...
See above also. -elz ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- blocked instead of alert Balla István (May 06)
- Re: blocked instead of alert waldo kitty (May 06)
- Re: blocked instead of alert beenph (May 06)
- Re: blocked instead of alert waldo kitty (May 06)
- Message not available
- Re: blocked instead of alert Balla István (May 07)
- Re: blocked instead of alert waldo kitty (May 07)
- Re: blocked instead of alert beenph (May 07)
- Re: blocked instead of alert waldo kitty (May 07)
- Re: blocked instead of alert Balla István (May 07)
- Re: blocked instead of alert Balla István (May 07)
- Re: blocked instead of alert beenph (May 06)
- Re: blocked instead of alert waldo kitty (May 06)