Snort mailing list archives

RE: logging question

From: "Anthony Buser" <ABuser () princelaw com>
Date: Fri, 25 May 2001 12:23:07 -0400
Unfortunately so far as I know SnortSnarf cannot handle the tcpdump
data.  Which is one reason why I recently switched to Acid
(http://www.cert.org/kb/acid/) and used the database logging with snort.
So I added a line to my snort.conf like:

output database: log, mysql, user=xxx password=xxx dbname=snort
host=localhost sensor_name=netmon encoding=hex

The encoding=hex at the end puts the tcpdump into the database in hex
format which acid automatically turn it into human readable format and
show on the acid webpage when you drill down into the details.  You can
also tell the database plugin to automatically convert to plain text by
putting encoding=ascii.  That way you could develop your own tools to
view it if you don't want to use acid... or I guess maybe modify
snortsnarf to show it.

---
Tony Buser
Programmer/Analyst
Unconundrum, Inc. http://www.unconundrum.com



-----Original Message-----
From: Fred Edwards [mailto:Fred.Edwards () STMARYS CA]
Sent: Friday, May 25, 2001 12:09 PM
To: Anthony Buser
Subject: Re: [Snort-users] logging question


I guess I should clarify my question a bit... I am aware of the fact
that you can get snort to do a binary "tcpdump" and/or see the packet
dump in the machine ip's directory...

however... what I was wondering was whether snort can do the packet
dump to the alert file itself...

I would like this specifically inorder to get SnortSnarf to display
the packet dump, as right now my manager calls me up after seeing
something suspicious on the snortsnarf webpages and I have to go look
at the dump through a ssh session or logging in physically and going
to the directory in question...

HOWEVER... if someone knows... can snortsnarf be used with a
"tcpdump.txt" file as Anthony outlines below in place of the alert
file and thereby accomplishing what I'm looking for?   ;-)

Fred Edwards



----- Original Message -----
From: "Anthony Buser" <ABuser () princelaw com>
To: "Fred Edwards" <Fred.Edwards () STMARYS CA>;
<snort-users () lists sourceforge net>
Sent: Friday, May 25, 2001 12:54 PM
Subject: RE: [Snort-users] logging question


This is what I do...

Start snort like this:
snort -d -h 151.197.81.0/24 -l /var/log/snort -c /etc/snort.conf

Add a line to your snort.conf like this:
output log_tcpdump: snort.tcpdump

Then it will log the packet dumps in files named like
0525@1113-snort.tcpdump in your /var/log/snort dir.

You can then use snort to convert these files into more human readable
format by doing this:
snort -r 0525@1113-snort.tcpdump -dve > tcpdump.txt

---
Tony Buser
Programmer/Analyst
Unconundrum, Inc. http://www.unconundrum.com


-----Original Message-----
From: Fred Edwards [mailto:Fred.Edwards () STMARYS CA]
Sent: Friday, May 25, 2001 8:49 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] logging question


I have a question about the alert log and its format.
my alert log generally looks like so for each alert:


[**]  ICMP Destination Unreachable [**]
05/23-13:30:15.604004 x.x.x.x -> x.x.x.x
ICMP TTL:254 TOS:0x0 ID:543 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
x.x.x.x:138 -> x.x.x.x:138
UDP TTL:127 TOS:0x0 ID:53795 IpLen:20 DgmLen:253
Len: 233
** END OF DUMP


is there anyway to have the alert also dump the hex packet/datagram as
well
like I get in standard output when I issue the snort command
"snort -vv -i eth0 -X", for example:

05/24-12:27:08.243426 x.x.x.x:1084 -> x.x.x.x:22
TCP TTL:128 TOS:0x0 ID:21607 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0xC066F581  Ack: 0xD7A63BB4  Win: 0x48  TcpLen: 20
0x0000: 00 E0 29 5A C5 42 00 01 03 02 0D 64 08 00 45 00
..)Z.B.....d..E.
0x0010: 00 3C 54 67 40 00 80 06 FB B6 8C B8 48 90 8C B8
.<Tg@.......H...
0x0020: 48 9D 04 3C 00 16 C0 66 F5 81 D7 A6 3B B4 50 18
H..<...f....;.P.
0x0030: 00 48 8E 18 00 00 00 00 00 0A 1D 30 9F A2 D0 CE
.H.........0....
0x0040: A9 9D 6A 8C 84 DA 89 3B F9 38
..j....;.8

or can I get that  info dumped into another file... but some way
of viewing the contents of the packet AFTER the fact...


============================================
Fred Edwards
Library Systems Technician
Patrick Power Library
Saint Mary's University
Halifax, Nova Scotia    B3H 3C3

Phone:    (902) 420-5096
Fax:        (902) 420-5561
E-mail:    Fred.Edwards () StMarys ca
Website: http://www.stmarys.ca/administration/library/
============================================

Quis custodiet ipsos custodes?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

logging question Fred Edwards (May 25)
- RE: logging question jan (May 25)
- <Possible follow-ups>
- RE: logging question Anthony Buser (May 25)
- RE: logging question Anthony Buser (May 25)
  - Re: logging question Fred Edwards (May 25)
  - RE: logging question James Hoagland (May 29)
- RE: logging question Anthony Buser (May 25)
  - RE: logging question Gregory Mingus (May 25)