[Snort-users] Tcpdump, alerts and portscans

Phil Wood cpw at ...440...
Mon Jun 25 10:40:34 EDT 2001


I think there is more to it than that.  The -A full only means that the
entire packet that caused the alert is decoded.  The -b option will write
any packet to a pcap file that was found by a snort RULE.

However, the portscan preprocessor is accumulating information in memory
which can lead to the conclusion that a scan is taking place.  It will
format alert type messages and pass them to the output processor, but not
log (pcap style) the packets that caused it to come to that conclusion.
Also, it will generate a file with a timestamp, source host/port and destination
host/port for packet.  But, this is not something that you can replay into
snort
 
On Mon, Jun 25, 2001 at 03:01:50AM -0400, Jason Lewis wrote:
> So, I wake up at 2:30am and realize what the problem is.  A case of lack of
> sleep and tunnel vision.  I somehow missed the -A full on the command line
> for the instance of snort reading the tcpdump file.
> 
> Sometimes just writing it down and letting it bounce around in your brain is
> the thing to do.  Thanks for listening.  ;)
> 
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Lewis
> Sent: Sunday, June 24, 2001 10:40 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Tcpdump, alerts and portscans
> 
> 
> Maybe I have been looking at this too long and I am not seeing the obvious.
> Or, maybe I made an assumption about tcpdump.
> 
> I am replaying tcpdump files with snort and putting the info into ACID.  I
> am not seeing any portscans in ACID after the replay.  Is this normal?  Is
> it just a configuration setting I have overlooked?  I thought tcpdump held
> all the packet info and snort could replay it and identify portscans.
> Wrong?
> 
> On the box that is replaying the tcpdump files, I have the following:
> 
> output database: log, mysql, dbname=snort_log user=snort host=localhost
> password=abc123
> output database: alert, mysql, dbname=snort_log user=snort host=localhost
> password=abc123
> 
> What am I missing?
> 
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list