[Snort-users] snort 2.0.0 logging problem?

sb ch chulmin22 at ...125...
Thu Jun 19 18:29:15 EDT 2003


Hello,

sorry for my poor writing.
But your answer is not what I meant.


## the correct format :
[**] [1:2049:1] MS-SQL ping attempt [**]
[Classification: Misc activity] [Priority: 3]
06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
Len: 1
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]


## but my incorrect format below:
[**] [1:2049:1] MS-SQL ping attempt [**]
[Classification: Misc activity] [Priority: 3]
[**] [1:2049:1] MS-SQL ping attempt [**]
[Classification: Misc activity] [Priority: 3]
06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
Len: 1
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434

UDP TTL:126 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
Len: 1
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]

So, my snort log analyzer program would not work well.


Thanks in advance.


From: Erek Adams <erek at ...950...>
To: sb ch <chulmin22 at ...125...>
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort 2.0.0 logging problem?
Date: Thu, 19 Jun 2003 09:25:56 -0400 (EDT)

On Thu, 19 Jun 2003, sb ch wrote:

 > When I see my snort log file, I found that the logging is not work well
 > always like below.
 > Same lines are logged again like below.
 > Surely some messgaes are logged well but some aren't.
 >
 > What's the proble mand how can I solve this problem?
 >
 > [**] [1:2049:1] MS-SQL ping attempt [**]
 > [Classification: Misc activity] [Priority: 3]
 > [**] [1:2049:1] MS-SQL ping attempt [**]
 > [Classification: Misc activity] [Priority: 3]
 > 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
 > UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
 > Len: 1
 > [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
 > 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
 >
 > UDP TTL:126 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
 > Len: 1
 > [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]

What info are you expecting?  That's the info from an 'full alert' file.

That's perfectly normal...  Now if you're expecting the entire packet
dump, you'll need to log to a pcap, unified, or a DB.

Cheers!

-----
Erek Adams

    "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
행운의 주인공이 이번엔 나일꺼야, 진짜루... 인터넷 복권   
http://www.msn.co.kr/money/interlotto/  





More information about the Snort-users mailing list