Re: Snort sfpreprocessor question

["Al Lewis (allewi)" <allewi () cisco com>]

Hello Leo,

                What are you trying to change the field to?

If you want to see what ports were scanned then you would need to turn up your logging to get more information.


05/31-15:37:07.430822  [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak] 
[Priority: 2] {PROTO:255} 127.0.0.1 -> 127.0.0.1
05/31-15:37:07.430822 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA9
127.0.0.1 -> 127.0.0.1 PROTO:255 TTL:64 TOS:0x0 ID:41288 IpLen:20 DgmLen:155 DF
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20  Priority Count:
35 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75  5.Connection Cou
6E 74 3A 20 36 0A 49 50 20 43 6F 75 6E 74 3A 20  nt: 6.IP Count:
31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 6E  1.Scanner IP Ran
67 65 3A 20 31 32 37 2E 30 2E 30 2E 31 3A 31 32  ge: 127.0.0.1:12
37 2E 30 2E 30 2E 31 0A 50 6F 72 74 2F 50 72 6F  7.0.0.1.Port/Pro
74 6F 20 43 6F 75 6E 74 3A 20 36 0A 50 6F 72 74  to Count: 6.Port
2F 50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 31  /Proto Range: 11
31 3A 38 30 38 30 0A                             1:8080.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Leo Nespoli [mailto:leo4b () hotmail it]
Sent: Tuesday, May 31, 2016 5:10 AM
To: Al Lewis (allewi); snort-users () lists sourceforge net
Subject: Re: Snort sfpreprocessor question


Hi Dr. Lewis,



I've attached the pcap file you requested me.

I did a nmap scan, so that a portscan rule is fired.

I've sfportscan preprocessor enabled, together with some preprocessor rules.

This is the log that is coming out:

 [122:1:1] (portscan) TCP Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 192.168.1.110 
-> 192.168.1.107



Thanks for your time and your availability,

MaLeo.

________________________________
Da: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Inviato: martedì 31 maggio 2016 07.22
A: Leo Nespoli; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Oggetto: RE: Snort sfpreprocessor question


Can you provide a conf and pcap of the traffic that is generating PROTO:255 alerts please?



Thanks



Albert Lewis

QA SNORT/Sourcefire

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com<mailto:allewi () cisco com>



From: Leo Nespoli [mailto:leo4b () hotmail it]
Sent: Monday, May 30, 2016 2:06 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Snort sfpreprocessor question



Hello,



Is it possible to change the protocol field generated by sfpreprocessor?

I have some logs with {PROTO:255}, and I'd like to change this field.



Thanks,

MaLeo.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!