Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spp_portscan unproper timestamp in replay(-r option) procedure

From: James Hoagland <hoagland () SiliconDefense com>
Date: Tue, 1 Oct 2002 07:05:58 -0700
At 12:35 PM +0300 10/1/02, Grigoris Vidakis wrote:

hi all!
i read a snort binary file which the -r option and the proper configuration file so that snort will generate, again, the alerts.( all rules are including and the log plugings) The problem which i have is that the timestamp of the portscans alerts spp_portscan: PORTSCAN DETECTED from XXX (THRESHOLD 4 connections exceeded in 0 seconds) [**]09/29-03:17:02.190148 spp_portscan: End of portscan from XXX: TOTAL time(43s) hosts(102) TCP(4) UDP(106) [**]09/29-05:20:02.056458 spp_portscan: portscan status from XXX: 10 connections across 10 hosts: TCP(2), UDP(8) [**]09/29-04:35:24.265486
which are generated, is not the timestamp which the packets had been captured from snort, but the current time, that is, the time 
which i run snort -r snortbinaryfile.
Of cource i wan't the timestamp when the portscan took place, in the alert logging, not the timestamp when snort proceding again the snortbinaryfile 

any idea about i can solve this problem?
You might want to look in the portscan.log file produced by spp_portscan. That will include the packets being reported as part of a portscan along with the time of those packets.
The reason those messages have the current time rather than a packet time is because there is no particular packet associated with those messages. So, what time would it display?
A possible answer to my own question is the timestamp from the last packet received by Snort. Not too difficult to implement, but I'm not convinced that that behavior is better than the current. If you wanted to implement it, make it an option. 

Best regards,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: