Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort_stat.pl wierdness

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 1 Nov 2001 13:42:19 -0800 (PST)

Ok, after puttering with this for a while, I thought I'd see if anyone has any
insight on this wierdness.  It's damned odd, since this works just fine on the
same box using snort 1.7 and an older version of snort_stat.

With Snort Version 1.8.2-beta0 (Build 85) and
# $Id: snort_stat.pl,v 1.15.2.6 2001/08/24 01:24:43 yenming Exp $

I grabbed 4 entries from my full alert file and placed them into a small file
called testme.  Then 'cat testme | ./new_snort_stat.pl'.  Now, I would expect
the normal output, but instead I get almost nothing:


---
[erek@merf]/var/log/snort#cat testme | ./new_snort_stat.pl
Subject: snort daily report

The log begins from:   ::
The log ends     at:   ::
Total events: 0
Signatures recorded: 0
Source IP recorded: 0
Destination IP recorded: 0

[...snip...]

The distribution of attack methods
===============================================
        #  of
  %    attacks   method
===============================================

---

All of the stats show _nothing_.  No alerts or anything.  But--In the testme
file, I have the following:

---
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26/01-18:40:47.967396 206.191.48.234:3006 -> 10.10.0.73:80
TCP TTL:106 TOS:0x4 ID:28063 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x47AC98A  Ack: 0xD9FCC5DA  Win: 0x2238  TcpLen: 20

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26/01-18:40:48.217643 206.191.48.234:3045 -> 10.10.0.73:80
TCP TTL:106 TOS:0x4 ID:61599 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x47ACA94  Ack: 0xD9FDD3EB  Win: 0x2238  TcpLen: 20

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26/01-18:40:48.465891 206.191.48.234:3072 -> 10.10.0.73:80
TCP TTL:106 TOS:0x4 ID:21152 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x47ACB7F  Ack: 0xD9FF05D3  Win: 0x2238  TcpLen: 20

[**] [1:515:2] MISC source port 53 to <1024 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
09/26/01-21:46:50.717413 129.250.35.250:53 -> 10.10.0.76:137
UDP TTL:246 TOS:0x0 ID:20975 IpLen:20 DgmLen:128 DF
Len: 108
---

Anyone?  Bueler?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: