Snort mailing list archives
Re: Snort sfpreprocessor question
From: Leo Nespoli <leo4b () hotmail it>
Date: Tue, 31 May 2016 09:10:13 +0000
Hi Dr. Lewis, I've attached the pcap file you requested me. I did a nmap scan, so that a portscan rule is fired. I've sfportscan preprocessor enabled, together with some preprocessor rules. This is the log that is coming out: [122:1:1] (portscan) TCP Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 192.168.1.110 -> 192.168.1.107 Thanks for your time and your availability, MaLeo. ________________________________ Da: Al Lewis (allewi) <allewi () cisco com> Inviato: martedì 31 maggio 2016 07.22 A: Leo Nespoli; snort-users () lists sourceforge net Oggetto: RE: Snort sfpreprocessor question Can you provide a conf and pcap of the traffic that is generating PROTO:255 alerts please? Thanks Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Leo Nespoli [mailto:leo4b () hotmail it] Sent: Monday, May 30, 2016 2:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort sfpreprocessor question Hello, Is it possible to change the protocol field generated by sfpreprocessor? I have some logs with {PROTO:255}, and I'd like to change this field. Thanks, MaLeo.
Attachment:
proto_255.pcap
Description: proto_255.pcap
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort sfpreprocessor question Leo Nespoli (May 30)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)
- Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
- Re: Snort sfpreprocessor question Leo Nespoli (May 31)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
- Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)