Snort mailing list archives
Re: UDP Portscans Are Not Capture
From: James Hoagland <hoagland () SiliconDefense com>
Date: Mon, 30 Sep 2002 09:37:12 -0700
At 6:53 PM +0300 9/30/02, Grigoris Vidakis wrote:
dear sir i run snort Version 1.8.3 (Build 88) in the linux 7.3 (2.4.18-3) and it capture and aler me for upd portscans BUT in the same box which the same kernel and libpcap the snort Version 1.8.7 (Build 128) does not capture them..
To be clear, are you giving the same file as input (with -r) both times. That is, are both snorts seeing the same stream of packets? If this is the case, then we'll need to investigate.
Or, is the case that the output of snort 1.8.3 (via -b) is becoming the input to snort 1.8.7 (via -r)? If this is the case, then Erek correctly noted that the binary (libpcap format) output of 1.8.3 may not be as complete as you think. Specifically, the packets that spp_portscan writes to its portscan.log file will only appear in that file and will not appear in in binary output file.
Please let us know which of the two situations applies to you. Best regards, Jim(P.s. For those that read snort-devel, the #2 case is another place when my contribution from last night can help.)
-- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)
- Re: UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)
- Re: UDP Portscans Are Not Capture James Hoagland (Sep 30)
- Re: UDP Portscans Are Not Capture Grigoris Vidakis (Sep 30)
- <Possible follow-ups>
- RE: UDP Portscans Are Not Capture McClure Gammon (Sep 30)
- Re: UDP Portscans Are Not Capture Erek Adams (Sep 30)