[Snort-users] UDP Portscans Are Not Capture
hoagland at ...47...
Mon Sep 30 09:38:02 EDT 2002
At 6:53 PM +0300 9/30/02, Grigoris Vidakis wrote:
>i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it
>capture and aler me for upd portscans
>BUT in the same box which the same kernel and libpcap the snort Version
>1.8.7 (Build 128) does not capture them..
To be clear, are you giving the same file as input (with -r) both
times. That is, are both snorts seeing the same stream of packets?
If this is the case, then we'll need to investigate.
Or, is the case that the output of snort 1.8.3 (via -b) is becoming
the input to snort 1.8.7 (via -r)? If this is the case, then Erek
correctly noted that the binary (libpcap format) output of 1.8.3 may
not be as complete as you think. Specifically, the packets that
spp_portscan writes to its portscan.log file will only appear in that
file and will not appear in in binary output file.
Please let us know which of the two situations applies to you.
(P.s. For those that read snort-devel, the #2 case is another place
when my contribution from last night can help.)
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users