[Snort-devel] Fwd: [Snort-users] alerts with "[Xref => arachnids" tag bunched together in Snort alert file

James Hoagland hoagland at ...60...
Fri Oct 11 08:34:04 EDT 2002

To someone-in-the-know,

This sounds like a bug to me.  If it not (if there is not supposed to 
be a blank line between), please let me know so I can update 
SnortSnarf with this new format.



>Delivered-To: hoagland at ...63...
>From: "murcsu murcsu at ...1616..." <murcsu at ...1616...>
>To: snort-users at lists.sourceforge.net
>X-Originating-Server: ws1-8.us4.outblaze.com
>Subject: [Snort-users] alerts with "[Xref => arachnids" tag bunched 
>together in Snort
>  alert file
>Sender: snort-users-admin at lists.sourceforge.net
>X-BeenThere: snort-users at lists.sourceforge.net
>X-Mailman-Version: 2.0.9-sf.net
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>
>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
>List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>X-Original-Date: Thu, 10 Oct 2002 12:21:25 -0500
>Date: Thu, 10 Oct 2002 12:21:25 -0500
>X-Virus-Scanned: by AMaViS perl-11
>I searched the archives but didn't see any mention of this.
>Since I upgraded to Snort 1.9, the alerts with the "[Xref => arachnids"
>tag are bunched together without a blank line separating them.
>[**] [1:566:3] POLICY PCAnywhere server response [**]
>[Classification: Misc activity] [Priority: 3]
>10/09-17:37:23.059980 a.b.c.d:44100 -> w.x.y.z:5632
>UDP TTL:116 TOS:0x0 ID:15491 IpLen:20 DgmLen:30
>Len: 10
>[Xref => arachnids 239]
>[**] [1:480:2] ICMP PING speedera [**]
>[Classification: Misc activity] [Priority: 3]
>10/09-17:40:11.503608 a.b.c.d -> w.x.y.z
>ICMP TTL:49 TOS:0x0 ID:38604 IpLen:20 DgmLen:84
>Type:8  Code:0  ID:7693   Seq:59926  ECHO
>The alerts without the Xref tag display with whitespace between them.
>[**] [1:1002:5] WEB-IIS cmd.exe access [**]
>[Classification: Web Application Attack] [Priority: 1]
>10/09-23:22:12.196847 a.b.c.d:4876 -> w.x.y.z:80
>TCP TTL:117 TOS:0x0 ID:39095 IpLen:20 DgmLen:136 DF
>***AP*** Seq: 0x48142058  Ack: 0x71F0399B  Win: 0x2238  TcpLen: 20
>[**] [1:1002:5] WEB-IIS cmd.exe access [**]
>[Classification: Web Application Attack] [Priority: 1]
>10/09-23:22:12.259297 a.b.c.d:4888 -> w.x.y.z:80
>TCP TTL:117 TOS:0x0 ID:44471 IpLen:20 DgmLen:157 DF
>***AP*** Seq: 0x48198BD7  Ack: 0x71F0FC90  Win: 0x2238  TcpLen: 20
>SnortSnarf apparently uses the whitespace as a delimiter, so it will
>display a group of alerts bunched together as a single alert.
>Has anyone else run into this problem?
>My sensors are running OpenBSD 3.0.  Snort 1.9 was built from source. 
>My reporting machine is running SnortSnarf-020516.1 on Solaris 8. 
>Snort 1.9 was built from source.
>My Snort command:
>/usr/local/bin/snort -c /root/snort/snort.conf -h w.x.y.z/24 -i \
>fxp1 -A full -b -D
>My SnortSnarf command:
>/usr/local/bin/snortsnarf.pl -d $DMZ/10/10/ -ldir \
>https://reporter/dmz/2002/10/10/ -homenet w.x.y.z/24 $DMZ/10/10/alert
>Sign-up for your own FREE Personalized E-mail at Mail.com
>"Free price comparison tool gives you the best prices and cash back!"
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-devel mailing list