Re: snort 2.0.0 logging problem?

["sb ch" <chulmin22 () hotmail com>]

Hello,

sorry for my poor writing.
But your answer is not what I meant.


## the correct format :
[**] [1:2049:1] MS-SQL ping attempt [**]
[Classification: Misc activity] [Priority: 3]
06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
Len: 1
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]


## but my incorrect format below:
[**] [1:2049:1] MS-SQL ping attempt [**]
[Classification: Misc activity] [Priority: 3]
[**] [1:2049:1] MS-SQL ping attempt [**]
[Classification: Misc activity] [Priority: 3]
06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
Len: 1
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434

UDP TTL:126 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
Len: 1
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]

So, my snort log analyzer program would not work well.


Thanks in advance.


From: Erek Adams <erek () snort org>
To: sb ch <chulmin22 () hotmail com>
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.0.0 logging problem?
Date: Thu, 19 Jun 2003 09:25:56 -0400 (EDT)

On Thu, 19 Jun 2003, sb ch wrote:

> When I see my snort log file, I found that the logging is not work well
> always like below.
> Same lines are logged again like below.
> Surely some messgaes are logged well but some aren't.
>
> What's the proble mand how can I solve this problem?
>
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
> UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
>
> UDP TTL:126 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]

What info are you expecting?  That's the info from an 'full alert' file.

That's perfectly normal...  Now if you're expecting the entire packet
dump, you'll need to log to a pcap, unified, or a DB.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
행운의 주인공이 이번엔 나일꺼야, 진짜루... 인터넷 복권   
http://www.msn.co.kr/money/interlotto/  



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users