[Snort-users] snort 2.0.0 logging problem?

Erek Adams erek at ...950...
Fri Jun 20 08:13:10 EDT 2003


On Fri, 20 Jun 2003, sb ch wrote:

> ## the correct format :
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
> UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
>
>
> ## but my incorrect format below:
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
> UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
>
> UDP TTL:126 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
>
> So, my snort log analyzer program would not work well.

Are you running two instances of Snort?  It seems like that's the same
entry that was duplicated half on itself.  If you had two instances
logging to the same file, that could happen.

How are you starting Snort and what output methods do you have enabled?

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list