[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sguil-users
Subject:    Re: [Sguil-users] Updated sguil questions (portscans, etc.)
From:       Jeffrey Brown <jabrown () co ! jefferson ! co ! us>
Date:       2008-09-09 14:59:52
Message-ID: 3C8C5A4D1D4D074ABE7A53F1341F06051A6543 () ADEXCHANGE ! admin ! co ! jeffco ! us
[Download RAW message or body]

> 1) I have some "portscan: Open Port" alerts, but in the Show Packet Data
> pane, only the IP section is filled out - the PortScan and Open Ports
> sections are both empty.  So there is no information on what ports were
> scanned, etc.  Lastly, if I select Wireshark on it , I get nothing (all
> empty).  How can I fix this?

If I recall correctly snort changed the way portscans are done with sfPortscan. It \
creates a psuedo packet with a different generator (122) so, all you get is the data \
that's presented i.e. # of connections, # hosts etc.; no more pcap's. Regarding the \
Open Port alerts I've found that they can be mostly benign i.e. authentic \
client/server traffic so, I autocat them w/ the "magic" key F8!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users


[prev in list] [next in list] [prev in thread] [next in thread]