[Snort-users] format of logs

Serge Leschinsky fish at ...6175...
Thu Oct 17 22:04:05 EDT 2002


Dear colleagues.

In 1.8.7 I have logs like following:
> [**] FTP EXPLOIT CWD overflow [**]
> 10/14-10:45:41.167403 212.91.214.124:1127 -> 217.18.136.66:21
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:174
> ***AP*** Seq: 0xDB2DDDA2  Ack: 0xD9260  Win: 0x7FB8  TcpLen: 20
> 55 53 45 52 20 61 6E 6F 6E 79 6D 6F 75 73 0D 0A  USER anonymous..
> 50 41 53 53 20 49 45 55 73 65 72 40 0D 0A 66 65  PASS IEUser at ...7210...
> 61 74 0D 0A 73 79 73 74 0D 0A 50 57 44 0D 0A 43  at..syst..PWD..C
> 57 44 20 2F 64 69 73 74 72 69 62 75 74 6F 72 73  WD /distributors
> 2F 0D 0A 54 59 50 45 20 41 0D 0A 50 4F 52 54 20  /..TYPE A..PORT
> 32 31 32 2C 39 31 2C 32 31 34 2C 31 32 34 2C 34  212,91,214,124,4
> 2C 31 30 34 0D 0A 4C 49 53 54 0D 0A 43 57 44 20  ,104..LIST..CWD
> 2F 64 69 73 74 72 69 62 75 74 6F 72 73 2F 53 6B  /distributors/Sk
> 6C 61 64 2F 0D 0A                                lad/..
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 but in 1.9.0 logs are less informative (for me):
> [**] ATTACK RESPONSES id check returned root [**]
> 10/18-10:02:21.464079 205.206.231.10:80 -> 217.18.136.93:1282
> TCP TTL:37 TOS:0x0 ID:37754 IpLen:20 DgmLen:1500 DF
> ***AP*** Seq: 0x3BCD07EE  Ack: 0x2E4CE9AC  Win: 0x7C70  TcpLen: 32
TCP Options (3) =>> NOP NOP TS: 111685230 293611174
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Can I do something to get in 1.9.0 the same logs as in 1.8.x ?

-- 
Yours sincerely
      Serge Leschinsky          mailto:fish at ...6175...          

Please visit this link:  http://rotter.net/israel





More information about the Snort-users mailing list