Snort mailing list archives

Re: Snort sfpreprocessor question

From: Leo Nespoli <leo4b () hotmail it>
Date: Tue, 31 May 2016 09:10:13 +0000

Hi Dr. Lewis,


I've attached the pcap file you requested me.

I did a nmap scan, so that a portscan rule is fired.

I've sfportscan preprocessor enabled, together with some preprocessor rules.

This is the log that is coming out:

 [122:1:1] (portscan) TCP Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 192.168.1.110 
-> 192.168.1.107


Thanks for your time and your availability,

MaLeo.


________________________________
Da: Al Lewis (allewi) <allewi () cisco com>
Inviato: martedì 31 maggio 2016 07.22
A: Leo Nespoli; snort-users () lists sourceforge net
Oggetto: RE: Snort sfpreprocessor question


Can you provide a conf and pcap of the traffic that is generating PROTO:255 alerts please?



Thanks



Albert Lewis

QA SNORT/Sourcefire

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



From: Leo Nespoli [mailto:leo4b () hotmail it]
Sent: Monday, May 30, 2016 2:06 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort sfpreprocessor question



Hello,



Is it possible to change the protocol field generated by sfpreprocessor?

I have some logs with {PROTO:255}, and I'd like to change this field.



Thanks,

MaLeo.

Attachment: proto_255.pcap
Description: proto_255.pcap

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort sfpreprocessor question Leo Nespoli (May 30)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)
  - Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
    - Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
    - Re: Snort sfpreprocessor question Leo Nespoli (May 31)
    - Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)