Snort mailing list archives
logging question
From: Fred Edwards <Fred.Edwards () STMARYS CA>
Date: Fri, 25 May 2001 09:48:33 -0300
I have a question about the alert log and its format. my alert log generally looks like so for each alert: [**] ICMP Destination Unreachable [**] 05/23-13:30:15.604004 x.x.x.x -> x.x.x.x ICMP TTL:254 TOS:0x0 ID:543 IpLen:20 DgmLen:56 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: x.x.x.x:138 -> x.x.x.x:138 UDP TTL:127 TOS:0x0 ID:53795 IpLen:20 DgmLen:253 Len: 233 ** END OF DUMP is there anyway to have the alert also dump the hex packet/datagram as well like I get in standard output when I issue the snort command "snort -vv -i eth0 -X", for example: 05/24-12:27:08.243426 x.x.x.x:1084 -> x.x.x.x:22 TCP TTL:128 TOS:0x0 ID:21607 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0xC066F581 Ack: 0xD7A63BB4 Win: 0x48 TcpLen: 20 0x0000: 00 E0 29 5A C5 42 00 01 03 02 0D 64 08 00 45 00 ..)Z.B.....d..E. 0x0010: 00 3C 54 67 40 00 80 06 FB B6 8C B8 48 90 8C B8 .<Tg@.......H... 0x0020: 48 9D 04 3C 00 16 C0 66 F5 81 D7 A6 3B B4 50 18 H..<...f....;.P. 0x0030: 00 48 8E 18 00 00 00 00 00 0A 1D 30 9F A2 D0 CE .H.........0.... 0x0040: A9 9D 6A 8C 84 DA 89 3B F9 38 ..j....;.8 or can I get that info dumped into another file... but some way of viewing the contents of the packet AFTER the fact... ============================================ Fred Edwards Library Systems Technician Patrick Power Library Saint Mary's University Halifax, Nova Scotia B3H 3C3 Phone: (902) 420-5096 Fax: (902) 420-5561 E-mail: Fred.Edwards () StMarys ca Website: http://www.stmarys.ca/administration/library/ ============================================ Quis custodiet ipsos custodes? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- logging question Fred Edwards (May 25)
- RE: logging question jan (May 25)
- <Possible follow-ups>
- RE: logging question Anthony Buser (May 25)
- RE: logging question Anthony Buser (May 25)
- Re: logging question Fred Edwards (May 25)
- RE: logging question James Hoagland (May 29)
- RE: logging question Anthony Buser (May 25)
- RE: logging question Gregory Mingus (May 25)