[Snort-users] Re: TCP PORTSCAN - log all packets?
listas.dl at ...11827...
Mon Jun 6 17:25:35 EDT 2005
I would like to apologize. Only now i see the response. I was thinking
my question did not arrive because a strange response came back to me
when i sent. And i am new at list
sorry, sorry ...
log any any -> any any
is not good to me. This is the same as tcpdump do. I want to see all
packets that are atacks. Not simply all packets ....
On 6/6/05, Daniel Rocha <listas.dl at ...11827...> wrote:
> > I am running snort 2.3.0 (Build 10) and in my snort.conf i enabled:
> > "output log_tcpdump: tcpdump.log" to log in binary tcpdump mode.
> > I am having a problem when i run a tcp portscan (and other types). I
> > need to see all packets relative with the portscan in the log, and
> > just two packets are logged, like:
> > 16:13:10.119122 IP 192.168.254.2 > 192.168.254.7: icmp 8: echo request seq 0
> > 16:13:10.451484 IP 192.168.254.2 > 192.168.254.7: raw 147
> > And the alert file show:
> > [**] [1:469:3] ICMP PING NMAP [**]
> > [Classification: Attempted Information Leak] [Priority: 2]
> > 06/06-16:13:10.119122 192.168.254.2 -> 192.168.254.7
> > ICMP TTL:48 TOS:0x0 ID:52088 IpLen:20 DgmLen:28
> > Type:8 Code:0 ID:2209 Seq:0 ECHO
> > [Xref => http://www.whitehats.com/info/IDS162]
> > [**] [122:1:0] (portscan) TCP Portscan [**]
> > 06/06-16:13:10.451484 192.168.254.2 -> 192.168.254.7
> > RAW TTL:0 TOS:0x0 ID:22633 IpLen:20 DgmLen:167 DF
> > Anyone knows how can i log all packets?
More information about the Snort-users