[Snort-users] Syslog Alert format?

JP Vossen vossenjp at ...8683...
Thu Dec 11 22:00:00 EST 2003


There is probably an obvious answer to this, but if so it's eluding me at the
moment.  I see a lot of Snort events from a lot of customer networks from all
over the world.  Every once in a while I see syslog alerts that are different
than I expect.  I have a ton of regular expressions to filter things, and I
get odd stuff that doesn't match.

For example, I'm getting this one, note the missing src and dst ports (made
up IPs):

...BAD-TRAFFIC bad frag bits [Classification: Misc activity] [Priority: 3]:
{TCP} 172.16.52.75 -> 10.10.10.81

I'm expecting something like this:
	{TCP} 172.16.52.75:80 -> 10.10.10.81:3565

Off the top of my head, I don't even know how to do that on purpose!  How do
you change the output?  I sometimes see missing ports, or missing punctuation
here and there...  What am I not considering here?

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list