AnsweredAssumed Answered

SA not parsing source port from snort logs

Question asked by Jesse Carleton on Jun 9, 2014
Latest reply on Jun 10, 2014 by Jesse Carleton

Is there a way to force SA to parse the source port in snort logs?

 

As you know, traffic looks like this;

 

Jun 9 15:53:49 snortbox01 snort[123456]: [1:12345:6] SSH Activity Detected [Classification: Misc activity] [Priority: 3]: {TCP}

10.0.10.123:22 -> 10.0.10.124:5682

 

What I'm seeing in SA is that it pulls the ip.dstport meta is fine, but there is nothing in ip.srcport meta.

 

Any help would be appreciated

Outcomes