[Snort-devel] spp_portscan problem
cmg at ...835...
Wed Oct 23 05:12:03 EDT 2002
"John Papapanos" <jpa3nos at ...1264...> writes:
> hi all
> I have also sent this message to the snort-users list but i haven't gotten any response yet, so i thought i should send this message in this list too.
> I use snort 1-8-7 and i read a snort binary file with the -r option and the proper configuration file
> so that snort will generate, again, the alerts.( all rules are including and the log \
> plugings) The problem which i have is that the timestamp of the portscans alerts
> spp_portscan: PORTSCAN DETECTED from XXX (THRESHOLD 4 connections exceeded in 0 \
> seconds) [**]09/29-03:17:02.190148
> spp_portscan: End of portscan from XXX: TOTAL time(43s) hosts(102) TCP(4) UDP(106) \
> spp_portscan: portscan status from XXX: 10 connections across 10 hosts: TCP(2), \
> UDP(8) [**]09/29-04:35:24.265486
> which are generated, is not the timestamp which the packets had been captured from \
> snort, but the current time, that is, the time which i run snort -r snortbinaryfile.
> Of cource i wan't the timestamp when the portscan took place, in the alert logging, \
> not the timestamp when snort proceding again the snortbinaryfile
> any idea about how i can solve this problem?
known limitation of the portscan preprocessor. You can change the
Calls to CallAlertFunc to include a packet if you want it to show
Chris Green <cmg at ...402...>
"I'm beginning to think that my router may be confused."
More information about the Snort-devel