Did something change recently with snort output? (alerts)
ljimber last edited by
Old box running Snort 126.96.36.199 pkg v. 2.3.0 had the following snort alert format:
 [122:5:1] PSNG_TCP_FILTERED_PORTSCAN 
[Classification: Attempted Information Leak] [Priority: 2]
08/15-18:34:57.787598 188.8.131.52 -> 184.108.40.206
PROTO:255 TTL:118 TOS:0x0 ID:2 IpLen:20 DgmLen:167 DF
New test box Snort 220.127.116.11 pkg v. 2.5.1 has the following alert format:
09/06-18:44:06.877103 ,119,14,1,"(http_inspect) NON-RFC DEFINED CHAR",TCP,18.104.22.168,60048,22.214.171.124,5551,62981,Potentially Bad Traffic,2,
I went digging for a change log and could not find one?
We have custom scripts that parse this output and trying to figure out if I missed something in the config or something really changed between the packages.