Snort mailing list archives
Re: Snort sfpreprocessor question
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 31 May 2016 21:11:55 +0000
Leo,
This looks like a bug. If changes are made to the code the protocol number displays correctly.
We are looking into the proper fix and I will get back to you shortly.
Thanks!
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com
From: Leo Nespoli [mailto:leo4b () hotmail it]
Sent: Tuesday, May 31, 2016 1:20 PM
To: Al Lewis (allewi)
Cc: 'snort-users' (snort-users () lists sourceforge net)
Subject: Re: Snort sfpreprocessor question
Hello!
What I'd like to change is the "protocol field":
05/31-15:37:07.430822 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak]
[Priority: 2] {PROTO:255} 127.0.0.1 -> 127.0.0.1
First of all, because I cannot reach full compatibility with other tools;
and then I think it would be nicer if a TCP portscan has {TCP} as protocol.
Do you think that this is possible?
Thanks!
________________________________
Da: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Inviato: martedì 31 maggio 2016 19.03
A: Leo Nespoli
Cc: 'snort-users' (snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>)
Oggetto: RE: Snort sfpreprocessor question
Hello Leo,
What are you trying to change the field to?
If you want to see what ports were scanned then you would need to turn up your logging to get more information.
05/31-15:37:07.430822 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak]
[Priority: 2] {PROTO:255} 127.0.0.1 -> 127.0.0.1
05/31-15:37:07.430822 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA9
127.0.0.1 -> 127.0.0.1 PROTO:255 TTL:64 TOS:0x0 ID:41288 IpLen:20 DgmLen:155 DF
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
35 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 5.Connection Cou
6E 74 3A 20 36 0A 49 50 20 43 6F 75 6E 74 3A 20 nt: 6.IP Count:
31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 6E 1.Scanner IP Ran
67 65 3A 20 31 32 37 2E 30 2E 30 2E 31 3A 31 32 ge: 127.0.0.1:12
37 2E 30 2E 30 2E 31 0A 50 6F 72 74 2F 50 72 6F 7.0.0.1.Port/Pro
74 6F 20 43 6F 75 6E 74 3A 20 36 0A 50 6F 72 74 to Count: 6.Port
2F 50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 31 /Proto Range: 11
31 3A 38 30 38 30 0A 1:8080.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Leo Nespoli [mailto:leo4b () hotmail it]
Sent: Tuesday, May 31, 2016 5:10 AM
To: Al Lewis (allewi); snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: Snort sfpreprocessor question
Hi Dr. Lewis,
I've attached the pcap file you requested me.
I did a nmap scan, so that a portscan rule is fired.
I've sfportscan preprocessor enabled, together with some preprocessor rules.
This is the log that is coming out:
[122:1:1] (portscan) TCP Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 192.168.1.110
-> 192.168.1.107
Thanks for your time and your availability,
MaLeo.
________________________________
Da: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Inviato: martedì 31 maggio 2016 07.22
A: Leo Nespoli; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Oggetto: RE: Snort sfpreprocessor question
Can you provide a conf and pcap of the traffic that is generating PROTO:255 alerts please?
Thanks
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Leo Nespoli [mailto:leo4b () hotmail it]
Sent: Monday, May 30, 2016 2:06 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Snort sfpreprocessor question
Hello,
Is it possible to change the protocol field generated by sfpreprocessor?
I have some logs with {PROTO:255}, and I'd like to change this field.
Thanks,
MaLeo.
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort sfpreprocessor question Leo Nespoli (May 30)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)
- Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
- Re: Snort sfpreprocessor question Leo Nespoli (May 31)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 31)
- Re: Snort sfpreprocessor question Leo Nespoli (Jun 03)
- Re: Snort sfpreprocessor question Al Lewis (allewi) (May 30)