Re: snort 2.0.0 logging problem?

[Erek Adams <erek () snort org>]

On Fri, 20 Jun 2003, sb ch wrote:

> ## the correct format :
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
> UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
>
>
> ## but my incorrect format below:
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> [**] [1:2049:1] MS-SQL ping attempt [**]
> [Classification: Misc activity] [Priority: 3]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
> UDP TTL:128 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
> 06/18-18:43:44.248450 211.xx.xx.xx:3314 -> 255.255.255.255:1434
>
> UDP TTL:126 TOS:0x0 ID:40608 IpLen:20 DgmLen:29
> Len: 1
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
>
> So, my snort log analyzer program would not work well.

Are you running two instances of Snort?  It seems like that's the same
entry that was duplicated half on itself.  If you had two instances
logging to the same file, that could happen.

How are you starting Snort and what output methods do you have enabled?

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users