[Snort-devel] Logging by Source or Destination IP?

Robert Wagner rwagner at ...1225...
Fri Apr 26 06:59:03 EDT 2002


These are two sample rules.  The TCP packets log to the Source IP, the UDP
packets log to the destination IP.  I have seen it with the normal rules
that come with SNORT as well.  These are just the ones that stand out.


alert tcp [!myclassc/24] 1023: -> [!myfirewall/32] 1023: (msg:"LOCAL2 Misc
high port scan";flags: !AS; tag: session,300,packets;)
alert udp [!myclassc/24] 1023: -> [!myfirewall/32] 1023: (msg:"LOCAL2 Misc
high port scan"; tag: session,300,packets;)


-----Original Message-----
From: Imran William Smith [mailto:iwsmith at ...1111...]
Sent: Thursday, April 25, 2002 8:06 PM
To: Robert Wagner
Subject: Re: [Snort-devel] Logging by Source or Destination IP?


have you got any rules with the <- direction?  just a guess.

Will Smith

----- Original Message ----- 
From: "Robert Wagner" <rwagner at ...1225...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Thursday, April 25, 2002 10:22 PM
Subject: [Snort-devel] Logging by Source or Destination IP?


| I am not sure if this is normal or has changed since I upgraded to 1.8.6.
| When looking for packets, I usually goto the Source IP under
/var/log/snort.
| I noticed that some of the packets are logging under the destination IP.
| (UDP stood out).
| 
| Has something changed?  Thanks in advance for your assistance.  
| 
| _______________________________________________
| Snort-devel mailing list
| Snort-devel at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-devel
| 




More information about the Snort-devel mailing list