Questionable snort data downloaded from incidents.org for practical

["Don Murdoch" <djmurd () cox net>]

        Hello - I am hoping that someone out there can give me some direction
        and advice.  I see some odd data in the logs that I downloaded from
        www.incidents.org/logs/ (030501 to 030505).  I would appear that the
        data is not being written to the disk - that there is some sort
        of abbreviated format going on here.

        Q's - is this normal?  I don't see anything like this on our production
        Snort IDS at work....
        I haven't see anything like this in my studies so far.
        What should I do (SANS people...)...
        How should I analyze this data?  should I reassemble it in some way?

        Example data chunks below:

        from alert.030501

05/01-11:18:31.659156  [**] SMB Name Wildcard [**] 61.186.111.220:1029 ->
MY.NET.18.240:137
:1027 -> 233.2.171.1:56464
:56464
:56464
:137

05/01-11:46:24.458715  [**] spp_portscan: PORTSCAN DETECTED from MY.NET.1.3
(THRESHOLD 12 conn
ections exceeded in 1 seconds) [**]
:56464
:56464
:56464
:56464
:56464
--------------------------------------
> From the outbox of ...
Don Murdoch, CISSP, MCSD, MCSE (NT/2K)
Today's Sun Tzu Quote: "War is a matter of vital importance to the state; a
matter of life or death, the road either to survival or to ruin. Hence, it
is imperative that it be studied thoroughly." (Ch. 1).




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users