Snort mailing list archives
Questionable snort data downloaded from incidents.org for practical
From: "Don Murdoch" <djmurd () cox net>
Date: Tue, 13 May 2003 22:01:30 -0400
Hello - I am hoping that someone out there can give me some direction and advice. I see some odd data in the logs that I downloaded from www.incidents.org/logs/ (030501 to 030505). I would appear that the data is not being written to the disk - that there is some sort of abbreviated format going on here. Q's - is this normal? I don't see anything like this on our production Snort IDS at work.... I haven't see anything like this in my studies so far. What should I do (SANS people...)... How should I analyze this data? should I reassemble it in some way? Example data chunks below: from alert.030501 05/01-11:18:31.659156 [**] SMB Name Wildcard [**] 61.186.111.220:1029 -> MY.NET.18.240:137 :1027 -> 233.2.171.1:56464 :56464 :56464 :137 05/01-11:46:24.458715 [**] spp_portscan: PORTSCAN DETECTED from MY.NET.1.3 (THRESHOLD 12 conn ections exceeded in 1 seconds) [**] :56464 :56464 :56464 :56464 :56464 --------------------------------------
From the outbox of ...
Don Murdoch, CISSP, MCSD, MCSE (NT/2K) Today's Sun Tzu Quote: "War is a matter of vital importance to the state; a matter of life or death, the road either to survival or to ruin. Hence, it is imperative that it be studied thoroughly." (Ch. 1). ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questionable snort data downloaded from incidents.org for practical Don Murdoch (May 13)