[Snort-devel] alert.full strangeness

Erek Adams erek at ...105...
Mon Apr 9 10:10:33 EDT 2001


After a recent CVS update, I started to notice something odd in my alert.full
file.

The timestamps seem to be "running into" the src IP.  Not overwriting, just no
spacing in front of it.

[examples below]

I tried to follow the code...  *sigh*  But I guess that's why I don't code for
a living.  :)

Has anyone else seen this?

-----

This is my following config:

/* $Id: snort.c,v 1.82 2001/03/28 13:24:09 fygrave Exp $ */

Version 1.8-beta1 (Build 10) (CVS Version, updated 4/7 @ 18:43 )

Libpcap: 0.6.2 (Updated March 4)

SunOS meep 5.7 Generic_106541-08 sun4m sparc SUNW,SPARCstation-5

--
Started with:

/usr/local/bin/snort -o -c /local/home/snort/snort.conf -t /local/home/snort
-u snort -g snort -h 10.10.10.0/24 -y


--snort.conf--

Stock from CVS, with only HOME_NET and DNS_SERVERS defined.

output alert_full: alert.full
output log_tcpdump: snort.log
output database: alert, mysql, user=foo password=foo dbname=snort17 host=merf
--

Output from alert.full:

[**] spp_portscan: portscan status from 202.38.66.21: 8 connections across 8
hosts: TCP(8), UDP(0) [**]
04/08/01-15:36:35.777164

[**] spp_portscan: End of portscan from 202.38.66.21: TOTAL time(0s) hosts(8)
TCP(8) UDP(0) [**]
04/08/01-15:37:11.021805

[**] External ssh access attempt [**]
04/08/01-16:04:59.870590209.16.131.73:1023 -> 10.10.10.10:22
TCP TTL:255 TOS:0x0 ID:33220 IpLen:20 DgmLen:44 DF
******S* Seq: 0xA4FE435E  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

[**] External ssh access attempt [**]
04/08/01-16:05:03.894923209.16.131.73:1022 -> 10.10.10.10:22
TCP TTL:255 TOS:0x0 ID:33244 IpLen:20 DgmLen:44 DF
******S* Seq: 0xA5064F02  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

[**] External ssh access attempt [**]
04/08/01-16:05:07.831160209.16.131.73:1021 -> 10.10.10.10:22
TCP TTL:255 TOS:0x0 ID:33267 IpLen:20 DgmLen:44 DF
******S* Seq: 0xA50DDEB2  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-devel mailing list