Syslog Alert format?

[JP Vossen <vossenjp () netaxs com>]

There is probably an obvious answer to this, but if so it's eluding me at the
moment.  I see a lot of Snort events from a lot of customer networks from all
over the world.  Every once in a while I see syslog alerts that are different
than I expect.  I have a ton of regular expressions to filter things, and I
get odd stuff that doesn't match.

For example, I'm getting this one, note the missing src and dst ports (made
up IPs):

...BAD-TRAFFIC bad frag bits [Classification: Misc activity] [Priority: 3]:
{TCP} 172.16.52.75 -> 10.10.10.81

I'm expecting something like this:
        {TCP} 172.16.52.75:80 -> 10.10.10.81:3565

Off the top of my head, I don't even know how to do that on purpose!  How do
you change the output?  I sometimes see missing ports, or missing punctuation
here and there...  What am I not considering here?

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users