[Snort-users] Syslog Alert format?

Ralf Spenneberg lists at ...9778...
Fri Dec 12 01:11:02 EST 2003

Am Fre, 2003-12-12 um 06.25 schrieb JP Vossen:

> For example, I'm getting this one, note the missing src and dst ports (made
> up IPs):
> ...BAD-TRAFFIC bad frag bits [Classification: Misc activity] [Priority: 3]:
> {TCP} ->
This is a fragmented packet. Fragments only carry the original IP header
but not any upper protocol header like a TCP header. Snort can therefore
just determine the upper layer protocol (like TCP) but not any
additional TCP information like below.
> I'm expecting something like this:
> 	{TCP} ->

> Off the top of my head, I don't even know how to do that on purpose!  How do
> you change the output? 
The output is not changed. The packet just does not provide the


Ralf Spenneberg

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

More information about the Snort-users mailing list