[Snort-users] Unified Alert logs and portscan alarms

Povel, Michael Michael.Povel at ...10534...
Wed May 5 07:54:08 EDT 2004


Hello all,
I tried to use Barnyard 0.2.0 with snort 2.1.3RC1, and found that alarms
like 
[**] [121:4:1] Portscan detected from X.X.X.X Talker(fixed: 23 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/05-16:42:30.577333
loose data when they are logged in the unified format. 
It looks like Barnyard does not get any IP information, and even when I add
some debug output, there is not all information in the unified log file:
------------------------------------------------------
Event->sig_generator  = 121
Event->sig_id         = 4
Event->sig_rev        = 1
Event->classification = 1
Event->priority       = 2
Event->id             = 15
Event->reference      = 15
Alert->ts.tv_sec      = 0
Alert->ts.tv_usec     = 0
Alert->sip            = 0.0.0.0
Alert->dip            = 0.0.0.0
Alert->sp             = 0
Alert->dp             = 0
Alert->protocol       = 0
Alert->flags          = 0x0
------------------------------------------------------
any ideas ?

cu

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040505/0d7ffdd5/attachment.html>


More information about the Snort-users mailing list