AnsweredAssumed Answered

SA not parsing source port from snort logs

Question asked by Jesse Carleton on Jun 9, 2014
Latest reply on Jun 10, 2014 by Jesse Carleton

Is there a way to force SA to parse the source port in snort logs?


As you know, traffic looks like this;


Jun 9 15:53:49 snortbox01 snort[123456]: [1:12345:6] SSH Activity Detected [Classification: Misc activity] [Priority: 3]: {TCP} ->


What I'm seeing in SA is that it pulls the ip.dstport meta is fine, but there is nothing in ip.srcport meta.


Any help would be appreciated