Snort mailing list archives
Re: Snort++ weird alerts popping
From: Russ <rucombs () cisco com>
Date: Mon, 26 Sep 2016 07:54:35 -0400
alert_full has not yet been updated for PDU alerts. In the meantime, alert_fast / cmg will give you similar info.
On 9/26/16 7:17 AM, João Soares wrote:
Hey, thanks for your reply. The version I'm using is version 3.0.0-a4 (Build 197) from 2.9.7-262I'm testing what you suggested, and I'm currently outputing the logs into both alert_full and csv. The following is an example of the same alert in both formats:*alert_full:* [**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php post attempt" [**] 09/26/16-12:15:09.913247 *alert_csv (IPs are hidden for privacy purposes):*09/26/16-12:15:09.913247, 3027648, TCP, stream_tcp, 462, C2S, <IP>:52837, <IP>:80, 1:3827:14, allowUsing alert_csv, I'm getting the remaining info, source IP and port, destination IP and port, etc, but that is still not happening with alert_full.Please note that I'm using the same example (xmlrpc.php post attempt), but this happens with other rules as well.On 09/26/2016 03:50 AM, Russ wrote:What version of Snort++ are you running? Can you try using -A cmg or -A csv to see what the alerts look like?On 9/25/16 12:14 PM, João Soares wrote:Greetings, Lately I've been having a few problems with Snort++Some alerts are constantly showing up with no relevant info, like this one:[**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php post attempt" [**] 09/25/16-17:10:44.470717There are instances of the same alert, with every bit of detail like the classification, source and destination IPs/MACs, but then there are manylike the one above with nothing but the description. Has this ever occurred to anyone?-- João Soares SIC - Serviço de Informática e Comunicações https://helpdesk.dei.uc.pt Department of Informatics Engineering Faculty of Science and Technology University of Coimbra
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort++ weird alerts popping João Soares (Sep 25)
- Re: Snort++ weird alerts popping Russ (Sep 25)
- Re: Snort++ weird alerts popping João Soares (Sep 26)
- Re: Snort++ weird alerts popping Russ (Sep 26)
- Re: Snort++ weird alerts popping João Soares (Sep 26)
- Re: Snort++ weird alerts popping Russ (Sep 25)