Snort mailing list archives
RE: Tcpdump, alerts and portscans
From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 25 Jun 2001 03:01:50 -0400
So, I wake up at 2:30am and realize what the problem is. A case of lack of sleep and tunnel vision. I somehow missed the -A full on the command line for the instance of snort reading the tcpdump file. Sometimes just writing it down and letting it bounce around in your brain is the thing to do. Thanks for listening. ;) Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Lewis Sent: Sunday, June 24, 2001 10:40 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Tcpdump, alerts and portscans Maybe I have been looking at this too long and I am not seeing the obvious. Or, maybe I made an assumption about tcpdump. I am replaying tcpdump files with snort and putting the info into ACID. I am not seeing any portscans in ACID after the replay. Is this normal? Is it just a configuration setting I have overlooked? I thought tcpdump held all the packet info and snort could replay it and identify portscans. Wrong? On the box that is replaying the tcpdump files, I have the following: output database: log, mysql, dbname=snort_log user=snort host=localhost password=abc123 output database: alert, mysql, dbname=snort_log user=snort host=localhost password=abc123 What am I missing? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tcpdump, alerts and portscans Jason Lewis (Jun 24)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Martin Roesch (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Snort Install Doc Jason Lewis (Jun 25)