[Snort-users] Syslog Alert format?

Ralf Spenneberg lists at ...9778...
Fri Dec 12 01:11:02 EST 2003


Am Fre, 2003-12-12 um 06.25 schrieb JP Vossen:

> For example, I'm getting this one, note the missing src and dst ports (made
> up IPs):
> 
> ...BAD-TRAFFIC bad frag bits [Classification: Misc activity] [Priority: 3]:
> {TCP} 172.16.52.75 -> 10.10.10.81
This is a fragmented packet. Fragments only carry the original IP header
but not any upper protocol header like a TCP header. Snort can therefore
just determine the upper layer protocol (like TCP) but not any
additional TCP information like below.
> 
> I'm expecting something like this:
> 	{TCP} 172.16.52.75:80 -> 10.10.10.81:3565

> 
> Off the top of my head, I don't even know how to do that on purpose!  How do
> you change the output? 
The output is not changed. The packet just does not provide the
information.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org




More information about the Snort-users mailing list