[Snort-users] snort + guardian

Dariusz Brzeziński dariusz.brzezinski at ...3372...
Sun Sep 9 14:24:01 EDT 2001


>Guardian does not understand log entries written by spp_portscan. I
>believe someday someone is going to make a script which can handle
>spp_portscan alerts too. If you can code with Perl, you can become that
>person. =) Guardian.pl is pretty simple, it shouldn't be difficult to
>modify it.



I think guardian does understand partly snort's scan reports. Look:

Sep  9 21:46:18 -> SYNFIN ******SF

[**] [111:13:1]  <ppp0> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
09/09-21:46:18.573329 ->
TCP TTL:23 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x70F82E9E  Ack: 0xC00ACC4  Win: 0x404  TcpLen: 20

[**] [100:1:1]  <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from (STEALTH) [**]

here is the report of guardian:

Sun Sep  9 21:46:18 2001: [111:13:1]  <ppp0> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
adding '-A input -s -i ppp0 -j DENY' to ipchains
Best regards,
 Dariusz                          mailto:dariusz.brzezinski at ...3372...

More information about the Snort-users mailing list