Snort mailing list archives

Re: Syslog Alert format?

From: Ralf Spenneberg <lists () spenneberg org>
Date: 12 Dec 2003 10:09:58 +0100

Am Fre, 2003-12-12 um 06.25 schrieb JP Vossen:

For example, I'm getting this one, note the missing src and dst ports (made
up IPs):

...BAD-TRAFFIC bad frag bits [Classification: Misc activity] [Priority: 3]:
{TCP} 172.16.52.75 -> 10.10.10.81

This is a fragmented packet. Fragments only carry the original IP header
but not any upper protocol header like a TCP header. Snort can therefore
just determine the upper layer protocol (like TCP) but not any
additional TCP information like below.


I'm expecting something like this:
      {TCP} 172.16.52.75:80 -> 10.10.10.81:3565


Off the top of my head, I don't even know how to do that on purpose!  How do
you change the output?

The output is not changed. The packet just does not provide the
information.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto                                  http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Syslog Alert format? JP Vossen (Dec 11)
- Re: Syslog Alert format? Ralf Spenneberg (Dec 12)