[Snort-users] Difference Portscan format under 2.1.0 to 2.0.5

Stephen Meatheringham sme at ...11218...
Mon Feb 16 06:42:27 EST 2004


Hi
  I've recently upgraded my snort from 2.0.5 to 2.1.0.  I note that the portscan 
section is now very different.  Indeed I don't seem to get a portscan log file 
any longer and see entries such as these in my alert log file:
[**] [121:4:1] Portscan detected from 203.26.51.50 Talker(fixed: 30 sliding: 30) 
Scanner(fixed: 0 sliding: 0) [**]
[**] [121:4:1] Portscan detected from 130.241.27.5 Talker(fixed: 30 sliding: 30) 
Scanner(fixed: 0 sliding: 0) [**]
[**] [121:4:1] Portscan detected from 61.88.251.10 Talker(fixed: 30 sliding: 30) 
Scanner(fixed: 0 sliding: 0) [**]

  If possible I'd like to get similar output to the older version which when 
processed with snortsnarf shows me the IP addresses scanned and the port(s) 
scanned on.  
  
  I can't seem to work out how to achieve this.
  
  Thanks in advance for any advice.
  
Stephen Meatheringham
   Senior Network Engineer, IT Services
   Australian Defence Force Academy
   email: s.meatheringham at ...11219...  
   Phone: +61 2 6268 8142     Fax: +61 2 6268 8150





More information about the Snort-users mailing list