[Snort-users] truncated portscan alerts with unified2 output

ScottO skippylou at ...11827...
Fri Sep 10 11:06:49 EDT 2010


Curious if anyone has seen this.

Before, on alert_full:

[**] [122:19:0] (portscan) UDP Portsweep [**]
[Priority: 3]
08/12-15:30:29.447556 192.168.1.150 -> 192.168.2.165
PROTO:255 TTL:0 TOS:0xC0 ID:17190 IpLen:20 DgmLen:159

After, on unified2:

[**] [122:19:0] portscan: UDP Portsweep [**]
09/09-10:15:28.956109

All are running the same version of Snort (2.8.6) and Barnyard2 (2.1.8).

The unified2 line in snort.conf:

output unified2: filename /var/log/snort_unified2.log, limit 128

Running barnyard2 as: /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d
/var/log -f snort_unified2.log

Barnyard2 also has config options for all the sid and generation maps,
classification.config, reference.config.

Anyone with any thoughts on this?

Thanks,

scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100910/1090c9da/attachment.html>


More information about the Snort-users mailing list