Snort mailing list archives
Re: Snort++ weird alerts popping
From: João Soares <joaops () dei uc pt>
Date: Mon, 26 Sep 2016 12:17:59 +0100
Hey, thanks for your reply. The version I'm using is version 3.0.0-a4 (Build 197) from 2.9.7-262 I'm testing what you suggested, and I'm currently outputing the logs into both alert_full and csv. The following is an example of the same alert in both formats: *alert_full:* [**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php post attempt" [**] 09/26/16-12:15:09.913247 *alert_csv (IPs are hidden for privacy purposes):* 09/26/16-12:15:09.913247, 3027648, TCP, stream_tcp, 462, C2S, <IP>:52837, <IP>:80, 1:3827:14, allow Using alert_csv, I'm getting the remaining info, source IP and port, destination IP and port, etc, but that is still not happening with alert_full. Please note that I'm using the same example (xmlrpc.php post attempt), but this happens with other rules as well. On 09/26/2016 03:50 AM, Russ wrote:
What version of Snort++ are you running? Can you try using -A cmg or -A csv to see what the alerts look like? On 9/25/16 12:14 PM, João Soares wrote:Greetings, Lately I've been having a few problems with Snort++ Some alerts are constantly showing up with no relevant info, like this one: [**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php post attempt" [**] 09/25/16-17:10:44.470717 There are instances of the same alert, with every bit of detail like the classification, source and destination IPs/MACs, but then there are many like the one above with nothing but the description. Has this ever occurred to anyone?
-- João Soares SIC - Serviço de Informática e Comunicações https://helpdesk.dei.uc.pt Department of Informatics Engineering Faculty of Science and Technology University of Coimbra
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort++ weird alerts popping João Soares (Sep 25)
- Re: Snort++ weird alerts popping Russ (Sep 25)
- Re: Snort++ weird alerts popping João Soares (Sep 26)
- Re: Snort++ weird alerts popping Russ (Sep 26)
- Re: Snort++ weird alerts popping João Soares (Sep 26)
- Re: Snort++ weird alerts popping Russ (Sep 25)