Snort mailing list archives
Re: Syslog Alert format?
From: Ralf Spenneberg <lists () spenneberg org>
Date: 12 Dec 2003 10:09:58 +0100
Am Fre, 2003-12-12 um 06.25 schrieb JP Vossen:
For example, I'm getting this one, note the missing src and dst ports (made up IPs): ...BAD-TRAFFIC bad frag bits [Classification: Misc activity] [Priority: 3]: {TCP} 172.16.52.75 -> 10.10.10.81
This is a fragmented packet. Fragments only carry the original IP header but not any upper protocol header like a TCP header. Snort can therefore just determine the upper layer protocol (like TCP) but not any additional TCP information like below.
I'm expecting something like this: {TCP} 172.16.52.75:80 -> 10.10.10.81:3565
Off the top of my head, I don't even know how to do that on purpose! How do you change the output?
The output is not changed. The packet just does not provide the information. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: VPN mit Linux Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Syslog Alert format? JP Vossen (Dec 11)
- Re: Syslog Alert format? Ralf Spenneberg (Dec 12)