Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ACID: sort order for email "alerts full"

From: John Sage <jsage () finchhaven com>
Date: Sun, 7 Apr 2002 19:44:26 -0700
What controls the sort order for a query that is then emailed "alerts
full"?

Or, more importantly, if I sort the results of a query after the
query is run, is it _not_ possible to retain that different sort order
(different from the one the query was first made under), and have that
new sort order be retained intact into the email body?

I have been running the query sort order "none", "timestamp (ascend)",
or "timestamp (descend)" and every time the sort order performed by
the query is performed correctly

But...

When the query is emailed, the sort order reverts to something that is
neither from the original query, or the sort order I performed upon
the query results.

(The query itself is "proto=udp and (src_port=137 or dst_port=137)")

Here's an example: The query was run "timestamp descending", and all
through the emailed report are anomalies like this, with sequential
packets from one specific IP sorted whatever-the-hell...

<snip>

------------------------------------------------------------------------------
#(1 - 218) [2002-01-04 06:17:13]  UDP to 137 netBIOS ns
IPv4: 208.51.230.16 -> 12.82.140.57
      hlen=5 TOS=0 dlen=78 ID=24664 flags=0 offset=0 TTL=113 chksum=39543
UDP:  port=137 -> dport: 137 len=58
Payload:  length = 50

000 : CA 50 00 00 00 01 00 00 00 00 00 00 20 43 4B 41   .P.......... CKA
010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21   AAAAAAAAAAAAA..!
030 : 00 01                                             ..
------------------------------------------------------------------------------
#(1 - 219) [2002-01-04 06:17:14]  UDP to 137 netBIOS ns
IPv4: 208.51.230.16 -> 12.82.140.57
      hlen=5 TOS=0 dlen=78 ID=24749 flags=0 offset=0 TTL=111 chksum=39970
UDP:  port=137 -> dport: 137 len=58
Payload:  length = 50

000 : CA 94 00 00 00 01 00 00 00 00 00 00 20 43 4B 41   ............ CKA
010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21   AAAAAAAAAAAAA..!
030 : 00 01                                             ..
------------------------------------------------------------------------------
#(1 - 217) [2002-01-04 06:17:11]  UDP to 137 netBIOS ns
IPv4: 208.51.230.16 -> 12.82.140.57
      hlen=5 TOS=0 dlen=78 ID=24566 flags=0 offset=0 TTL=111 chksum=40153
UDP:  port=137 -> dport: 137 len=58
Payload:  length = 50

000 : CA 06 00 00 00 01 00 00 00 00 00 00 20 43 4B 41   ............ CKA
010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21   AAAAAAAAAAAAA..!
030 : 00 01                                             ..
------------------------------------------------------------------------------

<snip>

OK: rude hack: I seem to be able to control the sort order of the
email by sorting as I want, and emailing each individual screen, one
at a time...

...but there's gotta be a better way.


- John
-- 
In those days, you could not buy a $2000 200MHz Pentium server.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: