[Snort-users] Portscan log file format

Joshua Polsky jpolsky at ...14758...
Thu Apr 21 17:01:49 EDT 2011


I had a question dealing with this particular option in the snort.conf file.

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { high } scan_type { all }

I am trying to determine if the logging method has changed for the portscans.     Currently if I add a log file to this preprocessor, I get this format:

Time: 04/13-15:29:41.660134
event_id: 6042
x.x.x.x -> x.x.x.x(portscan) UDP Filtered Portscan
Priority Count: 0
Connection Count: 200
IP Count: 66
Scanner IP Range:x.x.x.x:x.x.x.x
Port/Proto Count: 32
Port/Proto Range: 137:17500

I was looking up some information about an older preprocessor for portscan just entitled portscan and noticed that it was able to log packets to the portscan.log file as follows:

 Mar 25 23:05:46 192.168.100.20:60126 -> 10.10.117.13:751 SYN ******S*
I was wondering if this type of format is still possible, or if I am able to get this similar information from the newer preprocessor.  The reason I ask about this, is because we have a program that uses the information from the portscan and it was looking for this older format.

Thanks for help anybody can provide.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110421/7da7e315/attachment.html>


More information about the Snort-users mailing list