Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Empty alert records in unified spool for portscan and bo preproce ssors...

From: Ed Quackenbush <equackenbush () riptech com>
Date: Thu, 13 Jun 2002 12:04:29 -0400
Hello all-

I'm getting blank records from barnyard for alerts generated by the portscan
and back orifice preprocessors.  I've used both the csv and fast alert
output plugins for barnyard and observed the same behavior.  The
corresponding records in xml output from snort are not blank and are
included below.  Is this user error/bad config, as designed, or a
snort/barnyard issue?

Edward Quackenbush
equackenbush () riptech com

here is the snort.conf output line:
output alert_unified: filename snort.alert, limit 128

here is the barnyard.conf output plugin line:
output alert_csv: /var/log/snort/barnyard/csv.out
event_id,timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode

barnyard csv outputs:
2,"1970-01-01 00:00:00",Snort Alert [100:1:0],0.0.0.0,,0.0.0.0,,"IP",,
4,"1970-01-01 00:00:00",Snort Alert [100:2:0],0.0.0.0,,0.0.0.0,,"IP",,

corresponding snort xml outputs:
 <event version="1.0">
    <sensor encoding="ascii" detail="full">
      <interface>eth0</interface>
      <ipaddr version="4">192.168.60.63</ipaddr>
      <hostname>drag-squire</hostname>
    </sensor>
    <signature id="1" revision="1">spp_portscan: PORTSCAN DETECTED from
192.168.60.127 (THR
ESHOLD 4 connections exceeded in 0 seconds)</signature>
    <timestamp>2002-06-11 17:05:06-04</timestamp>
  </event>

  <event version="1.0">
    <sensor encoding="ascii" detail="full">
      <interface>eth0</interface>
      <ipaddr version="4">192.168.60.63</ipaddr>
      <hostname>drag-squire</hostname>
    </sensor>
    <signature id="2" revision="1">spp_portscan: portscan status from
192.168.60.127: 14 co
nnections across 1 hosts: TCP(14), UDP(0)</signature>
    <timestamp>2002-06-11 17:05:10-04</timestamp>
  </event>


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: