[Snort-users] snort 2.0: is icmp type missing from syslog format?

Michael Scheidell scheidell at ...5171...
Mon May 5 05:36:09 EDT 2003


Is the icmp type and code missing from the snort 2.0 syslog format?
Is it that way be design?

Can I beg for it to be put in?
the 'source and destination' ports exits for tcp and ucp, and for cvs for 
barnyard, I note, that even if the format is different (doesn't have a
ip:port), it does have the icmp code recorded  (the "8,0")

"ICMP","2003-01-19
04:35:01",80.129.248.131,,xxx.xxx.xxx.xxx,,8,0,117,1,1,96335,96
335


May  5 06:01:08 scanner snort: [1:499:3] ICMP Large ICMP Packet
[Classification: Potentially Bad Traffic] [Priority: 2]: <fxp1> {ICMP}
193.221.47.96 -> xxx.xxx.xxx.xxx

By looking at what was logged in mysql, I see that the ICMP  type code
is (8) Echo Request with code 0

Should not at least the 8 be recorded?
like this?

May  5 06:01:08 scanner snort: [1:499:3] ICMP Large ICMP Packet
[Classification: Potentially Bad Traffic] [Priority: 2]: <fxp1> {ICMP}
193.221.47.96:8 -> xxx.xxx.xxx.xxx:0

(ie, record the icmp type in the src"(port) location and icmp code in the
'dest'(port) location)

note the port source and dest for udp (and tcp) exists for tcp and ucp
May  5 07:02:37 scanner snort: [1:2003:2] MS-SQL Worm propagation attempt
[Classification: Misc Attack] [Priority: 2]: <fxp1> {UDP}
203.121.69.114:2051 -> xxx.xxx.xxx.xxx:1434

-- 
Michael Scheidell
SECNAP Network Security
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net




More information about the Snort-users mailing list