[Snort-users] Log vs. Alert --end the confusion!

Williams Jon WilliamsJon at ...2134...
Tue Aug 13 06:18:03 EDT 2002


While we're talking about how preprocessors log packets, could someone help
me out with the stream4 preprocessor?  There are a number of seemingly
useful alerts that come out of it, such as the TTL evasion alerts, but when
I go to the log, it looks as if snort only logs the last packet or the one
that actually triggered the alert.  As a result, it is very difficult to go
back through and describe to the "attacker" or their ISP what the activity
was.  Obviously, the stream4 preprocessor had to have had all of the packets
go through it and remember that the TTL was 5 on packet A, 8 on B, and so
on.  Is it possible to get it to write out all the packets in the offending
stream?  This goes for all the alerts that come out of this preprocessor,
and not just the TTL one.

Thanks.

Jon

-----Original Message-----
From: Chris Green [mailto:cmg at ...1935...]
Sent: Monday, August 12, 2002 5:04 PM
To: Steve Halligan
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Log vs. Alert --end the confusion!

Steve Halligan <giermo at ...187...> writes:

> As an aside.  I would like to put my vote in for a single generic message
> from portscan2.  As it is, the msg looks like this "Portscan detected from
> a.b.c.d blah blah blah".  For those of us that use a database, this adds a
> unique signature for each and every portscan.  In addition to clogging up
> the signature table, it frustrates signature based queries.  Why put the
ip
> in the message?  You can see it in the ip addr field anyway.  If you need
to
> know the number of ports/hosts, you can look in the scan.log.
>

Yeah... This makes sense.  I'll add that.  Thanks for reminding me on
mail instead of IRC.





More information about the Snort-users mailing list