[Snort-users] Barnyard2 configuration and event generation

beenph beenph at ...11827...
Wed Dec 19 13:44:26 EST 2012


Thats the syslog output.

-elz



On Wed, Dec 19, 2012 at 1:39 PM, Steve Marotta <smarotta at ...16014...> wrote:

> Okay, that's closer. Here, I have an example of the sort of thing that I'm
> looking for. I have log files generated by some process that is unknown to
> me, but it's along the lines of the kind of detail that I want. I want to
> know how to generate output similar to the following:
>
> 10/01/06-17:14:08.905284  [**] [1:466:4] ICMP L3retriever Ping [**]
> [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
> 100.10.20.7 -> 100.10.20.3
> 10/01/06-17:14:08.906552  [**] [1:466:4] ICMP L3retriever Ping [**]
> [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
> 100.10.20.7 -> 100.10.20.3
> 10/01/06-17:14:08.909629  [**] [1:3003:4] NETBIOS SMB-DS Session Setup
> NTMLSSP unicode asn1 overflow attempt [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.7:3045 ->
> 100.10.20.3:445
> 10/01/06-17:14:08.912910  [**] [1:2466:7] NETBIOS SMB-DS IPC$ unicode
> share access [**] [Classification: Generic Protocol Command Decode]
> [Priority: 3] {TCP} 100.10.20.7:3045 -> 100.10.20.3:445
> 10/01/06-17:14:14.394597  [**] [1:466:4] ICMP L3retriever Ping [**]
> [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
> 100.10.20.8 -> 100.10.20.3
> 10/01/06-17:14:14.395833  [**] [1:466:4] ICMP L3retriever Ping [**]
> [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
> 100.10.20.8 -> 100.10.20.3
> 10/01/06-17:14:14.398579  [**] [1:3003:4] NETBIOS SMB-DS Session Setup
> NTMLSSP unicode asn1 overflow attempt [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.8:3054 ->
> 100.10.20.3:445
> 10/01/06-17:14:14.401683  [**] [1:2466:7] NETBIOS SMB-DS IPC$ unicode
> share access [**] [Classification: Generic Protocol Command Decode]
> [Priority: 3] {TCP} 100.10.20.8:3054 -> 100.10.20.3:445
> 10/01/06-17:14:20.129381  [**] [1:466:4] ICMP L3retriever Ping [**]
> [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
> 100.10.20.10 -> 100.10.20.3
> 10/01/06-17:14:20.130816  [**] [1:466:4] ICMP L3retriever Ping [**]
> [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
> 100.10.20.10 -> 100.10.20.3
> 10/01/06-17:14:20.133548  [**] [1:3003:4] NETBIOS SMB-DS Session Setup
> NTMLSSP unicode asn1 overflow attempt [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.10:3145 ->
> 100.10.20.3:445
> 10/01/06-17:14:20.136576  [**] [1:2466:7] NETBIOS SMB-DS IPC$ unicode
> share access [**] [Classification: Generic Protocol Command Decode]
> [Priority: 3] {TCP} 100.10.20.10:3145 -> 100.10.20.3:445
>
>
>
>
>
>
> THIS MESSAGE IS INTENDED FOR THE USE OF THE PERSON TO WHOM IT IS
> ADDRESSED. IT MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND
> EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If you are not the intended
> recipient, your use of this message for any purpose is strictly prohibited.
> If you have received this communication in error, please delete the message
> and notify the sender so that we may correct our records.
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121219/c2f135d6/attachment.html>


More information about the Snort-users mailing list