Re: UDP Portscans Are Not Capture

[James Hoagland <hoagland () SiliconDefense com>]

At 6:53 PM +0300 9/30/02, Grigoris Vidakis wrote:
> dear sir
> i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
> capture and aler me for upd portscans
> BUT in the same box which the same kernel and libpcap the snort Version
> 1.8.7 (Build 128) does not capture them..

To be clear, are you giving the same file as input (with -r) both 
times.  That is, are both snorts seeing the same stream of packets? 
If this is the case, then we'll need to investigate.

Or, is the case that the output of snort 1.8.3 (via -b) is becoming 
the input to snort 1.8.7 (via -r)?  If this is the case, then Erek 
correctly noted that the binary (libpcap format) output of 1.8.3 may 
not be as complete as you think.  Specifically, the packets that 
spp_portscan writes to its portscan.log file will only appear in that 
file and will not appear in in binary output file.

Please let us know which of the two situations applies to you.

Best regards,

  Jim

(P.s. For those that read snort-devel, the #2 case is another place 
when my contribution from last night can help.)

--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users