Snort mailing list archives

RE: logging question

From: "Anthony Buser" <ABuser () princelaw com>
Date: Fri, 25 May 2001 11:54:58 -0400

This is what I do...

Start snort like this:
snort -d -h 151.197.81.0/24 -l /var/log/snort -c /etc/snort.conf

Add a line to your snort.conf like this:
output log_tcpdump: snort.tcpdump

Then it will log the packet dumps in files named like
0525@1113-snort.tcpdump in your /var/log/snort dir.

You can then use snort to convert these files into more human readable
format by doing this:
snort -r 0525@1113-snort.tcpdump -dve > tcpdump.txt

---
Tony Buser
Programmer/Analyst
Unconundrum, Inc. http://www.unconundrum.com


-----Original Message-----
From: Fred Edwards [mailto:Fred.Edwards () STMARYS CA]
Sent: Friday, May 25, 2001 8:49 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] logging question


I have a question about the alert log and its format.
my alert log generally looks like so for each alert:


[**]  ICMP Destination Unreachable [**]
05/23-13:30:15.604004 x.x.x.x -> x.x.x.x
ICMP TTL:254 TOS:0x0 ID:543 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
x.x.x.x:138 -> x.x.x.x:138
UDP TTL:127 TOS:0x0 ID:53795 IpLen:20 DgmLen:253
Len: 233
** END OF DUMP


is there anyway to have the alert also dump the hex packet/datagram as
well
like I get in standard output when I issue the snort command
"snort -vv -i eth0 -X", for example:

05/24-12:27:08.243426 x.x.x.x:1084 -> x.x.x.x:22
TCP TTL:128 TOS:0x0 ID:21607 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0xC066F581  Ack: 0xD7A63BB4  Win: 0x48  TcpLen: 20
0x0000: 00 E0 29 5A C5 42 00 01 03 02 0D 64 08 00 45 00
..)Z.B.....d..E.
0x0010: 00 3C 54 67 40 00 80 06 FB B6 8C B8 48 90 8C B8
.<Tg@.......H...
0x0020: 48 9D 04 3C 00 16 C0 66 F5 81 D7 A6 3B B4 50 18
H..<...f....;.P.
0x0030: 00 48 8E 18 00 00 00 00 00 0A 1D 30 9F A2 D0 CE
.H.........0....
0x0040: A9 9D 6A 8C 84 DA 89 3B F9 38
..j....;.8

or can I get that  info dumped into another file... but some way
of viewing the contents of the packet AFTER the fact...


============================================
Fred Edwards
Library Systems Technician
Patrick Power Library
Saint Mary's University
Halifax, Nova Scotia    B3H 3C3

Phone:    (902) 420-5096
Fax:        (902) 420-5561
E-mail:    Fred.Edwards () StMarys ca
Website: http://www.stmarys.ca/administration/library/
============================================

Quis custodiet ipsos custodes?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

logging question Fred Edwards (May 25)
- RE: logging question jan (May 25)
- <Possible follow-ups>
- RE: logging question Anthony Buser (May 25)
- RE: logging question Anthony Buser (May 25)
  - Re: logging question Fred Edwards (May 25)
  - RE: logging question James Hoagland (May 29)
- RE: logging question Anthony Buser (May 25)
  - RE: logging question Gregory Mingus (May 25)