Snort mailing list archives
Re: Snort sfpreprocessor question
From: Leo Nespoli <leo4b () hotmail it>
Date: Tue, 31 May 2016 17:20:09 +0000
Hello! What I'd like to change is the "protocol field": 05/31-15:37:07.430822 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 127.0.0.1 -> 127.0.0.1 First of all, because I cannot reach full compatibility with other tools; and then I think it would be nicer if a TCP portscan has {TCP} as protocol. Do you think that this is possible? Thanks! ________________________________ Da: Al Lewis (allewi) <allewi () cisco com> Inviato: martedì 31 maggio 2016 19.03 A: Leo Nespoli Cc: 'snort-users' (snort-users () lists sourceforge net) Oggetto: RE: Snort sfpreprocessor question Hello Leo, What are you trying to change the field to? If you want to see what ports were scanned then you would need to turn up your logging to get more information. 05/31-15:37:07.430822 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 127.0.0.1 -> 127.0.0.1 05/31-15:37:07.430822 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA9 127.0.0.1 -> 127.0.0.1 PROTO:255 TTL:64 TOS:0x0 ID:41288 IpLen:20 DgmLen:155 DF 50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count: 35 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 5.Connection Cou 6E 74 3A 20 36 0A 49 50 20 43 6F 75 6E 74 3A 20 nt: 6.IP Count: 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 6E 1.Scanner IP Ran 67 65 3A 20 31 32 37 2E 30 2E 30 2E 31 3A 31 32 ge: 127.0.0.1:12 37 2E 30 2E 30 2E 31 0A 50 6F 72 74 2F 50 72 6F 7.0.0.1.Port/Pro 74 6F 20 43 6F 75 6E 74 3A 20 36 0A 50 6F 72 74 to Count: 6.Port 2F 50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 31 /Proto Range: 11 31 3A 38 30 38 30 0A 1:8080. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Leo Nespoli [mailto:leo4b () hotmail it] Sent: Tuesday, May 31, 2016 5:10 AM To: Al Lewis (allewi); snort-users () lists sourceforge net Subject: Re: Snort sfpreprocessor question Hi Dr. Lewis, I've attached the pcap file you requested me. I did a nmap scan, so that a portscan rule is fired. I've sfportscan preprocessor enabled, together with some preprocessor rules. This is the log that is coming out: [122:1:1] (portscan) TCP Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 192.168.1.110 -> 192.168.1.107 Thanks for your time and your availability, MaLeo. ________________________________ Da: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> Inviato: martedì 31 maggio 2016 07.22 A: Leo Nespoli; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Oggetto: RE: Snort sfpreprocessor question Can you provide a conf and pcap of the traffic that is generating PROTO:255 alerts please? Thanks Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Leo Nespoli [mailto:leo4b () hotmail it] Sent: Monday, May 30, 2016 2:06 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Snort sfpreprocessor question Hello, Is it possible to change the protocol field generated by sfpreprocessor? I have some logs with {PROTO:255}, and I'd like to change this field. Thanks, MaLeo.
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort sfpreprocessor question Leo Nespoli (May 30)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)
- Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
- Re: Snort sfpreprocessor question Leo Nespoli (May 31)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
- Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)