[Snort-devel] spp_portscan problem

John Papapanos jpa3nos at ...1264...
Tue Oct 1 03:41:02 EDT 2002


hi all
I have also sent this message to the snort-users list but i haven't gotten any response yet, so i thought i should send this message in this list too.
  
I use snort 1-8-7 and i read a snort binary file with the -r option and the proper configuration file
so that snort will generate, again, the alerts.( all rules are including and the log \
plugings) The problem which i have is that the timestamp of the portscans alerts 

spp_portscan: PORTSCAN DETECTED from XXX (THRESHOLD 4 connections exceeded in 0 \
                seconds) [**]09/29-03:17:02.190148 
spp_portscan: End of portscan from XXX: TOTAL time(43s) hosts(102) TCP(4) UDP(106) \
                [**]09/29-05:20:02.056458 
spp_portscan: portscan status from XXX: 10 connections across 10 hosts: TCP(2), \
UDP(8) [**]09/29-04:35:24.265486 

 which are generated, is not  the timestamp which the packets had been captured from \
snort, but the current time, that is, the time which i run snort -r snortbinaryfile.
 Of cource i wan't the timestamp when the portscan took place, in the alert logging, \
not the timestamp when snort proceding again the snortbinaryfile  
any idea about how i can solve this problem?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021001/9b31d953/attachment.html>


More information about the Snort-devel mailing list