Project

General

Profile

Actions

Bug #235

closed

fast log should fill in protcol name when known by /etc/protocols

Added by Will Metcalf over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently the suricata fast.log doesn't match the snort fast log. Currently we only print the protocol number. Snort sets the protocol name if known via /etc/protocols if not it uses the format PROTO:protonumber currently suricata always prints the proto number.

Example snort fast logs (ip addy's have been changed)
12/26-06:44:10.148430 [**] [1:2002750:23] ET POLICY Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {PROTO:007} 10.1.1.1 -> 10.1.1.2
12/26-11:11:11.012275 [**] [1:2009022:3] ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.1.1:1033 -> 10.1.1.2:80
12/29-11:11:11.592820 [**] [1:2002750:23] ET POLICY Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {MANET} 10.1.1.1 -> 10.1.1.2


Files

Actions #1

Updated by Victor Julien over 13 years ago

  • Subject changed from fast log should fill in protcol name when known by /etc/protocols xrefs should be removed. to fast log should fill in protcol name when known by /etc/protocols
Actions #2

Updated by Victor Julien over 13 years ago

  • Assignee changed from OISF Dev to Gurvinder Singh
  • Estimated time changed from 2.50 h to 5.00 h
Actions #3

Updated by Gurvinder Singh over 13 years ago

Patch attached

Actions #4

Updated by Victor Julien over 13 years ago

  • Estimated time changed from 5.00 h to 7.00 h
Actions #6

Updated by Victor Julien over 13 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

Applied the last patch, thanks Gurvinder.

Actions

Also available in: Atom PDF