Reputation: 1
snort and portscan loggin
I posted a question a couple of days ago about the portscan log, however this is a separate question that deals with the new portscan logs.
Time: 04/13-15:29:41.660134 event_id: 6042 x.x.x.x -> x.x.x.x(portscan) UDP Filtered Portscan Priority Count: 0 Connection Count: 200 IP Count: 66 Scanner IP Range:x.x.x.x:x.x.x.x Port/Proto Count: 32 Port/Proto Range: 137:17500
I am trying to determine 4 things from this log, source IP, destination IP, source port, destination port.
Some other options i would like, but as necessary, would be the type of portscan and the flags for this scan.
Again, thanks for any help that can be provided.
Upvotes: 0
Views: 465
Answers (1)
Reputation: 2428
The protocol was UDP, so there are no flags available (that's a TCP thing). The log suggests (if I am reading it correctly) that 32 ports were tested, running a range from 137 to 17500, so pick 30 ports other than 137 and 17500 and that's what got scanned. To get more specific, you would need to find a way to deaggregate the information and break each alert into its own event and log them individually.
Upvotes: 1
Related Questions
- How to view snort log files
- How to monitor packets using Snort features?
- Snort log file output format
- Why are my Snort logs empty?
- Snort rule failing to alert to log
- Snort Rules Configuration Issue
- Read the alert log from snort
- Snort: Reporting packet numbers
- Importing Snort Log Files into WireShark
- snort log file format