[Snort-users] snort? IMPORTANAT!

GMX Dumpmail Dumpmail at ...158...
Thu Jul 27 12:10:50 EDT 2000


Hi

  Ok guys it's me again. Big thanks for the fast help! But i have
  another problem: i ONLY want snort to print 1!!!! alert wenn someone
  scanns for only port 21, but snorts write 4 appents, but i only want
  to see one alert for this.
  my rule is.

  alert tcp any any -> 10.0.0.0/8 <port to listen 21,22,etc> (msg: "FTP connect";)

  ok , that works, BUT i makes per append 4 entries in snort.alert
  like this:

[**] FTP connect [**]
07/27-17:51:15.770273 10.0.1.254:3886 -> 10.0.1.75:21
TCP TTL:128 TOS:0x0 ID:49011  DF
**S***** Seq: 0x4B4EDAD   Ack: 0x0   Win: 0x2000
TCP Options => MSS: 1460 NOP NOP SackOK 

[**] FTP connect [**]
07/27-17:51:16.179848 10.0.1.254:3886 -> 10.0.1.75:21
TCP TTL:128 TOS:0x0 ID:50291  DF
**S***** Seq: 0x4B4EDAD   Ack: 0x0   Win: 0x2000
TCP Options => MSS: 1460 NOP NOP SackOK 

[**] FTP connect [**]
07/27-17:51:16.684473 10.0.1.254:3886 -> 10.0.1.75:21
TCP TTL:128 TOS:0x0 ID:51315  DF
**S***** Seq: 0x4B4EDAD   Ack: 0x0   Win: 0x2000
TCP Options => MSS: 1460 NOP NOP SackOK 

[**] FTP connect [**]
07/27-17:51:17.184334 10.0.1.254:3886 -> 10.0.1.75:21
TCP TTL:128 TOS:0x0 ID:52595  DF
**S***** Seq: 0x4B4EDAD   Ack: 0x0   Win: 0x2000
TCP Options => MSS: 1460 NOP NOP SackOK

then i tail the file to console 12
command: tail -f ../snort.alert > tty12

But the only thing for this for log entries i want on the screen ist
this line:
07/27-17:51:17.184334 10.0.1.254:3886 -> 10.0.1.75:21

is this possible or what script have i to write. Different colors for
different lines would also be very handy 22: yellow 21: green or
something like this.......

Ok guys i count on you, please help me quick THX a lot

Best regards,
 Thomas                          mailto:Dumpmail at ...158...






More information about the Snort-users mailing list