Snort mailing list archives

Re: Snortsnarf 020516.1 and Snort 1.9.0 errors

From: James Hoagland <hoagland () SiliconDefense com>
Date: Tue, 15 Oct 2002 12:36:50 -0700

At 10:28 AM -0400 10/15/02, Eric Joe wrote:

Is there any known issues with Snortsnarf 020516.1 and Snort 1.9.0?


Yes.

Soon, I'm going to be getting a new version of SnortSnarf together toaddress the issues folks have been having with the output coming outof Snort 1.9. (Some of these problems are due to bugs in Snort, butI'll try to work around them.)

I know some folks have already sent me information, but in order tomake sure my coverage is complete enough, can folks tell me (inprivate e-mail, not to this list) what output format (e.g., fastalert format) SnortSnarf is having problems with and if possible somespecific problem alerts.


Thank you,

  Jim


Since upgrading to 1.9.0 I get a lot of errors when parsing the alerts file.

Here is the command I use

perl /home/snort/SnortSnarf/snortsnarf.pl /var/log/snort/alert


and here are some example errors

unknown alert format for line: TCP Options (4) => MSS: 1460 NOP NOP SackOK
; skipping
unknown alert format for line: TCP TTL:64 TOS:0x0 ID:6512 IpLen:20
DgmLen:60 DF; skipping
unknown alert format for line: ******S* Seq: 0x700AFBA3  Ack: 0x0  Win:
0x16D0TcpLen: 40
; skipping
unknown alert format for line: TCP Options (5) => MSS: 1460 SackOK TS:
427680467 0 NOP WS: 0
; skipping
unknown alert format for line: UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:72 DF
; skipping
unknown alert format for line: Len: 52
; skipping
unknown alert format for line: UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:82 DF
; skipping
unknown alert format for line: Len: 62
; skipping

Thanks

--
Eric Joe
Network Operations
Journey's End Internet/Computer Connection Inc




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snortsnarf 020516.1 and Snort 1.9.0 errors Eric Joe (Oct 15)
- Re: Snortsnarf 020516.1 and Snort 1.9.0 errors James Hoagland (Oct 15)
- <Possible follow-ups>
- Re: Snortsnarf 020516.1 and Snort 1.9.0 errors Eric Joe (Oct 15)
  - Re: Snortsnarf 020516.1 and Snort 1.9.0 errors Erek Adams (Oct 15)