[Snort-users] Questionable snort data downloaded from incidents.org for practical

Don Murdoch djmurd at ...5190...
Tue May 13 19:01:09 EDT 2003


	Hello - I am hoping that someone out there can give me some direction
	and advice.  I see some odd data in the logs that I downloaded from
	www.incidents.org/logs/ (030501 to 030505).  I would appear that the
	data is not being written to the disk - that there is some sort
	of abbreviated format going on here.

	Q's - is this normal?  I don't see anything like this on our production
	Snort IDS at work....
	I haven't see anything like this in my studies so far.
	What should I do (SANS people...)...
	How should I analyze this data?  should I reassemble it in some way?

	Example data chunks below:

	from alert.030501

05/01-11:18:31.659156  [**] SMB Name Wildcard [**] 61.186.111.220:1029 ->
MY.NET.18.240:137
:1027 -> 233.2.171.1:56464
:56464
:56464
:137

05/01-11:46:24.458715  [**] spp_portscan: PORTSCAN DETECTED from MY.NET.1.3
(THRESHOLD 12 conn
ections exceeded in 1 seconds) [**]
:56464
:56464
:56464
:56464
:56464
--------------------------------------


More information about the Snort-users mailing list