Snort mailing list archives

RE: Tcpdump, alerts and portscans

From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 25 Jun 2001 03:01:50 -0400

So, I wake up at 2:30am and realize what the problem is.  A case of lack of
sleep and tunnel vision.  I somehow missed the -A full on the command line
for the instance of snort reading the tcpdump file.

Sometimes just writing it down and letting it bounce around in your brain is
the thing to do.  Thanks for listening.  ;)

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Lewis
Sent: Sunday, June 24, 2001 10:40 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Tcpdump, alerts and portscans


Maybe I have been looking at this too long and I am not seeing the obvious.
Or, maybe I made an assumption about tcpdump.

I am replaying tcpdump files with snort and putting the info into ACID.  I
am not seeing any portscans in ACID after the replay.  Is this normal?  Is
it just a configuration setting I have overlooked?  I thought tcpdump held
all the packet info and snort could replay it and identify portscans.
Wrong?

On the box that is replaying the tcpdump files, I have the following:

output database: log, mysql, dbname=snort_log user=snort host=localhost
password=abc123
output database: alert, mysql, dbname=snort_log user=snort host=localhost
password=abc123

What am I missing?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tcpdump, alerts and portscans Jason Lewis (Jun 24)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
  - Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
    - RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
    - Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
    - RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
    - Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
    - RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
    - Re: Tcpdump, alerts and portscans Martin Roesch (Jun 25)
    - Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
    - RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
    - Snort Install Doc Jason Lewis (Jun 25)

(Thread continues...)