[Snort-users] Different Portscan format under 2.1.0 to 2.0.5

M. Salman Farisi msalmanf at ...11176...
Sun Feb 15 21:47:00 EST 2004


I also have the same problem with Mr Meatheringham, I use snort 2.1.0. I
have tried to scan from another machine and give a small attack but it
doesn't alert or log anything.
I have checked /var/log/messages , /var/log/secure, and
/var/log/snort/alert not even mysql!!!!!

Any recommendation ?


On Mon, 16 Feb 2004, Stephen Meatheringham wrote:

> Hi
>   I've recently upgraded my snort from 2.0.5 to 2.1.0.  I note that the portscan
> section is now very different.  Indeed I don't seem to get a portscan log file
> any longer and see entries such as these in my alert log file:
> [**] [121:4:1] Portscan detected from 203.26.51.50 Talker(fixed: 30 sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
> [**] [121:4:1] Portscan detected from 130.241.27.5 Talker(fixed: 30 sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
> [**] [121:4:1] Portscan detected from 61.88.251.10 Talker(fixed: 30 sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
>
>   If possible I'd like to get similar output to the older version which when
> processed with snortsnarf shows me the IP addresses scanned and the port(s)
> scanned on.
>
>   I can't seem to work out how to achieve this.
>
>   Thanks in advance for any advice.
>
> Stephen Meatheringham
>    Senior Network Engineer, IT Services
>    Australian Defence Force Academy
>    email: s.meatheringham at ...11219...
>    Phone: +61 2 6268 8142     Fax: +61 2 6268 8150




More information about the Snort-users mailing list