[Snort-users] snort + guardian

Dariusz Brzeziński dariusz.brzezinski at ...3372...
Sun Sep 9 14:24:01 EDT 2001


Hello,

>Guardian does not understand log entries written by spp_portscan. I
>believe someday someone is going to make a script which can handle
>spp_portscan alerts too. If you can code with Perl, you can become that
>person. =) Guardian.pl is pretty simple, it shouldn't be difficult to
>modify it.

>Yours,

>Jyri

I think guardian does understand partly snort's scan reports. Look:

Sep  9 21:46:18 211.185.206.2:22 -> 213.25.233.134:22 SYNFIN ******SF

[**] [111:13:1]  <ppp0> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
09/09-21:46:18.573329 211.185.206.2:22 -> 213.25.233.134:22
TCP TTL:23 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x70F82E9E  Ack: 0xC00ACC4  Win: 0x404  TcpLen: 20

[**] [100:1:1]  <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from 211.185.206.2 (STEALTH) [**]
09/09-21:46:18.574951 


here is the report of guardian:


Sun Sep  9 21:46:18 2001: 211.185.206.2 [111:13:1]  <ppp0> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
adding '-A input -s 211.185.206.2 -i ppp0 -j DENY' to ipchains
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-- 
Best regards,
 Dariusz                          mailto:dariusz.brzezinski at ...3372...





More information about the Snort-users mailing list