[Snort-users] Snortsnarf 020516.1 and Snort 1.9.0 errors

James Hoagland hoagland at ...47...
Tue Oct 15 12:37:04 EDT 2002


At 10:28 AM -0400 10/15/02, Eric Joe wrote:
>Is there any known issues with Snortsnarf 020516.1 and Snort 1.9.0?

Yes.

Soon, I'm going to be getting a new version of SnortSnarf together to 
address the issues folks have been having with the output coming out 
of Snort 1.9.  (Some of these problems are due to bugs in Snort, but 
I'll try to work around them.)

I know some folks have already sent me information, but in order to 
make sure my coverage is complete enough, can folks tell me (in 
private e-mail, not to this list) what output format (e.g., fast 
alert format) SnortSnarf is having problems with and if possible some 
specific problem alerts.

Thank you,

   Jim

>
>Since upgrading to 1.9.0 I get a lot of errors when parsing the alerts file.
>
>Here is the command I use
>
>perl /home/snort/SnortSnarf/snortsnarf.pl /var/log/snort/alert
>
>
>and here are some example errors
>
>unknown alert format for line: TCP Options (4) => MSS: 1460 NOP NOP SackOK
>; skipping
>unknown alert format for line: TCP TTL:64 TOS:0x0 ID:6512 IpLen:20
>DgmLen:60 DF; skipping
>unknown alert format for line: ******S* Seq: 0x700AFBA3  Ack: 0x0  Win:
>0x16D0TcpLen: 40
>; skipping
>unknown alert format for line: TCP Options (5) => MSS: 1460 SackOK TS:
>427680467 0 NOP WS: 0
>; skipping
>unknown alert format for line: UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:72 DF
>; skipping
>unknown alert format for line: Len: 52
>; skipping
>unknown alert format for line: UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:82 DF
>; skipping
>unknown alert format for line: Len: 62
>; skipping
>
>Thanks
>
>--
>Eric Joe
>Network Operations
>Journey's End Internet/Computer Connection Inc
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list