[Snort-devel] spp_portscan problem

Chris Green cmg at ...835...
Wed Oct 23 05:12:03 EDT 2002


"John Papapanos" <jpa3nos at ...1264...> writes:

> hi all
> I have also sent this message to the snort-users list but i haven't gotten any response yet, so i thought i should send this message in this list too.
>   
> I use snort 1-8-7 and i read a snort binary file with the -r option and the proper configuration file
> so that snort will generate, again, the alerts.( all rules are including and the log \
> plugings) The problem which i have is that the timestamp of the portscans alerts 
>
> spp_portscan: PORTSCAN DETECTED from XXX (THRESHOLD 4 connections exceeded in 0 \
>                 seconds) [**]09/29-03:17:02.190148 
> spp_portscan: End of portscan from XXX: TOTAL time(43s) hosts(102) TCP(4) UDP(106) \
>                 [**]09/29-05:20:02.056458 
> spp_portscan: portscan status from XXX: 10 connections across 10 hosts: TCP(2), \
> UDP(8) [**]09/29-04:35:24.265486 
>
>  which are generated, is not  the timestamp which the packets had been captured from \
> snort, but the current time, that is, the time which i run snort -r snortbinaryfile.
>  Of cource i wan't the timestamp when the portscan took place, in the alert logging, \
> not the timestamp when snort proceding again the snortbinaryfile  
> any idea about how i can solve this problem?

known limitation of the portscan preprocessor.  You can change the
Calls to CallAlertFunc to include a packet if you want it to show
packet time.  
-- 
Chris Green <cmg at ...402...>
"I'm beginning to think that my router may be confused."




More information about the Snort-devel mailing list