Snort mailing list archives
RE: Tcpdump, alerts and portscans
From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 25 Jun 2001 14:46:19 -0400
Yeah, I thought I had solved it. I was using -A full on the command line and that overrides the config file. But, portscans are not making it into ACID. Couldn't a replay do the same thing on the tcpdump file? I mean doesn't it seem possible that a processor could look at the tcpdump file and store the same info and make the same conclusions about connections? Maybe I can log portscans to a file and then insert those into ACID? It doesn't look like there is anything fancy happening with portscans when they are put into ACID normally? Does that sound like it might work? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Phil Wood Sent: Monday, June 25, 2001 10:41 AM To: Jason Lewis Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Tcpdump, alerts and portscans I think there is more to it than that. The -A full only means that the entire packet that caused the alert is decoded. The -b option will write any packet to a pcap file that was found by a snort RULE. However, the portscan preprocessor is accumulating information in memory which can lead to the conclusion that a scan is taking place. It will format alert type messages and pass them to the output processor, but not log (pcap style) the packets that caused it to come to that conclusion. Also, it will generate a file with a timestamp, source host/port and destination host/port for packet. But, this is not something that you can replay into snort On Mon, Jun 25, 2001 at 03:01:50AM -0400, Jason Lewis wrote:
So, I wake up at 2:30am and realize what the problem is. A case of lack
of
sleep and tunnel vision. I somehow missed the -A full on the command line for the instance of snort reading the tcpdump file. Sometimes just writing it down and letting it bounce around in your brain
is
the thing to do. Thanks for listening. ;) Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Lewis Sent: Sunday, June 24, 2001 10:40 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Tcpdump, alerts and portscans Maybe I have been looking at this too long and I am not seeing the
obvious.
Or, maybe I made an assumption about tcpdump. I am replaying tcpdump files with snort and putting the info into ACID. I am not seeing any portscans in ACID after the replay. Is this normal? Is it just a configuration setting I have overlooked? I thought tcpdump held all the packet info and snort could replay it and identify portscans. Wrong? On the box that is replaying the tcpdump files, I have the following: output database: log, mysql, dbname=snort_log user=snort host=localhost password=abc123 output database: alert, mysql, dbname=snort_log user=snort host=localhost password=abc123 What am I missing? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tcpdump, alerts and portscans Jason Lewis (Jun 24)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Martin Roesch (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Snort Install Doc Jason Lewis (Jun 25)
- RE: Snort Install Doc Stefan Dens (Jun 27)
- RE: Snort Install Doc Jason Lewis (Jun 27)