Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Did something change recently with snort output? (alerts)

    pfSense Packages
    1
    1
    832
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ljimber last edited by

      Hi,

      Old box running Snort 2.9.2.3 pkg v. 2.3.0 had the following snort alert format:

      [] [122:5:1] PSNG_TCP_FILTERED_PORTSCAN []
      [Classification: Attempted Information Leak] [Priority: 2]
      08/15-18:34:57.787598 1.1.1.1 -> 2.2.2.2
      PROTO:255 TTL:118 TOS:0x0 ID:2 IpLen:20 DgmLen:167 DF

      New test box Snort 2.9.2.3 pkg v. 2.5.1 has the following alert format:

      09/06-18:44:06.877103 ,119,14,1,"(http_inspect) NON-RFC DEFINED CHAR",TCP,3.3.3.3,60048,4.4.4.4,5551,62981,Potentially Bad Traffic,2,

      I went digging for a change log and could not find one?

      We have custom scripts that parse this output and trying to figure out if I missed something in the config or something really changed between the packages.

      Thanks,
      Lee

      1 Reply Last reply Reply Quote 0
      • First post
        Last post