[Snort-users] UDP Portscans Are Not Capture

James Hoagland hoagland at ...47...
Mon Sep 30 09:38:02 EDT 2002


At 6:53 PM +0300 9/30/02, Grigoris Vidakis wrote:
>dear sir
>i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
>capture and aler me for upd portscans
>BUT in the same box which the same kernel and libpcap the snort Version
>1.8.7 (Build 128) does not capture them..

To be clear, are you giving the same file as input (with -r) both 
times.  That is, are both snorts seeing the same stream of packets? 
If this is the case, then we'll need to investigate.

Or, is the case that the output of snort 1.8.3 (via -b) is becoming 
the input to snort 1.8.7 (via -r)?  If this is the case, then Erek 
correctly noted that the binary (libpcap format) output of 1.8.3 may 
not be as complete as you think.  Specifically, the packets that 
spp_portscan writes to its portscan.log file will only appear in that 
file and will not appear in in binary output file.

Please let us know which of the two situations applies to you.

Best regards,

   Jim

(P.s. For those that read snort-devel, the #2 case is another place 
when my contribution from last night can help.)

-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list