NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2001-11

From: Erek Adams (erektheadamsfamily.net)
Date: Thu Nov 01 2001 - 15:42:19 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok, after puttering with this for a while, I thought I'd see if anyone has any
insight on this wierdness. It's damned odd, since this works just fine on the
same box using snort 1.7 and an older version of snort_stat.

With Snort Version 1.8.2-beta0 (Build 85) and
# $Id: snort_stat.pl,v 1.15.2.6 2001/08/24 01:24:43 yenming Exp $

I grabbed 4 entries from my full alert file and placed them into a small file
called testme. Then 'cat testme | ./new_snort_stat.pl'. Now, I would expect
the normal output, but instead I get almost nothing:

---
[erekmerf]/var/log/snort#cat testme | ./new_snort_stat.pl
Subject: snort daily report
The log begins from:   ::
The log ends     at:   ::
Total events: 0
Signatures recorded: 0
Source IP recorded: 0
Destination IP recorded: 0
[...snip...]
The distribution of attack methods
===============================================
        #  of
  %    attacks   method
===============================================
---
All of the stats show _nothing_.  No alerts or anything.  But--In the testme
file, I have the following:
---
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26/01-18:40:47.967396 206.191.48.234:3006 -> 10.10.0.73:80
TCP TTL:106 TOS:0x4 ID:28063 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x47AC98A  Ack: 0xD9FCC5DA  Win: 0x2238  TcpLen: 20
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26/01-18:40:48.217643 206.191.48.234:3045 -> 10.10.0.73:80
TCP TTL:106 TOS:0x4 ID:61599 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x47ACA94  Ack: 0xD9FDD3EB  Win: 0x2238  TcpLen: 20
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26/01-18:40:48.465891 206.191.48.234:3072 -> 10.10.0.73:80
TCP TTL:106 TOS:0x4 ID:21152 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x47ACB7F  Ack: 0xD9FF05D3  Win: 0x2238  TcpLen: 20
[**] [1:515:2] MISC source port 53 to <1024 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
09/26/01-21:46:50.717413 129.250.35.250:53 -> 10.10.0.76:137
UDP TTL:246 TOS:0x0 ID:20975 IpLen:20 DgmLen:128 DF
Len: 108
---
Anyone?  Bueler?
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]