Snort mailing list archives

Re: Different Portscan format under 2.1.0 to 2.0.5

From: "M. Salman Farisi" <msalmanf () students ee itb ac id>
Date: Mon, 16 Feb 2004 12:42:08 +0700 (WIT)


I also have the same problem with Mr Meatheringham, I use snort 2.1.0. I
have tried to scan from another machine and give a small attack but it
doesn't alert or log anything.
I have checked /var/log/messages , /var/log/secure, and
/var/log/snort/alert not even mysql!!!!!

Any recommendation ?


On Mon, 16 Feb 2004, Stephen Meatheringham wrote:

Hi
  I've recently upgraded my snort from 2.0.5 to 2.1.0.  I note that the portscan
section is now very different.  Indeed I don't seem to get a portscan log file
any longer and see entries such as these in my alert log file:
[**] [121:4:1] Portscan detected from 203.26.51.50 Talker(fixed: 30 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
[**] [121:4:1] Portscan detected from 130.241.27.5 Talker(fixed: 30 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
[**] [121:4:1] Portscan detected from 61.88.251.10 Talker(fixed: 30 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]

  If possible I'd like to get similar output to the older version which when
processed with snortsnarf shows me the IP addresses scanned and the port(s)
scanned on.

  I can't seem to work out how to achieve this.

  Thanks in advance for any advice.

Stephen Meatheringham
   Senior Network Engineer, IT Services
   Australian Defence Force Academy
   email: s.meatheringham () adfa edu au
   Phone: +61 2 6268 8142     Fax: +61 2 6268 8150



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Different Portscan format under 2.1.0 to 2.0.5 Stephen Meatheringham (Feb 15)
- Re: Different Portscan format under 2.1.0 to 2.0.5 M. Salman Farisi (Feb 15)