Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort + guardian

From: Dariusz Brzeziński <dariusz.brzezinski () implozja kalisz pl>
Date: Sun, 9 Sep 2001 23:22:36 +0200
Hello,


Guardian does not understand log entries written by spp_portscan. I
believe someday someone is going to make a script which can handle
spp_portscan alerts too. If you can code with Perl, you can become that
person. =) Guardian.pl is pretty simple, it shouldn't be difficult to
modify it.



Yours,



Jyri


I think guardian does understand partly snort's scan reports. Look:

Sep  9 21:46:18 211.185.206.2:22 -> 213.25.233.134:22 SYNFIN ******SF

[**] [111:13:1]  <ppp0> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
09/09-21:46:18.573329 211.185.206.2:22 -> 213.25.233.134:22
TCP TTL:23 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x70F82E9E  Ack: 0xC00ACC4  Win: 0x404  TcpLen: 20

[**] [100:1:1]  <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from 211.185.206.2 (STEALTH) [**]
09/09-21:46:18.574951 


here is the report of guardian:


Sun Sep  9 21:46:18 2001: 211.185.206.2 [111:13:1]  <ppp0> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
adding '-A input -s 211.185.206.2 -i ppp0 -j DENY' to ipchains
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-- 
Best regards,
 Dariusz                          mailto:dariusz.brzezinski () implozja kalisz pl


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: