[Snort-users] Re: TCP PORTSCAN - log all packets?

Daniel Rocha listas.dl at ...11827...
Mon Jun 6 14:48:28 EDT 2005


> I am running snort 2.3.0 (Build 10) and in my snort.conf i enabled:
> "output log_tcpdump: tcpdump.log" to log in binary tcpdump mode.
> 
> I am having a problem when i run a tcp portscan (and other types). I
> need to see all packets relative with the portscan in the log, and
> just two packets are logged, like:
> 
> 16:13:10.119122 IP 192.168.254.2 > 192.168.254.7: icmp 8: echo request seq 0
> 16:13:10.451484 IP 192.168.254.2 > 192.168.254.7:  raw 147
> 
> And the alert file show:
> 
> [**] [1:469:3] ICMP PING NMAP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 06/06-16:13:10.119122 192.168.254.2 -> 192.168.254.7
> ICMP TTL:48 TOS:0x0 ID:52088 IpLen:20 DgmLen:28
> Type:8  Code:0  ID:2209   Seq:0  ECHO
> [Xref => http://www.whitehats.com/info/IDS162]
> 
> [**] [122:1:0] (portscan) TCP Portscan [**]
> 06/06-16:13:10.451484 192.168.254.2 -> 192.168.254.7
> RAW TTL:0 TOS:0x0 ID:22633 IpLen:20 DgmLen:167 DF
> 
> Anyone knows how can i log all packets?
>




More information about the Snort-users mailing list