Snort mailing list archives
RE: logging question
From: "Anthony Buser" <ABuser () princelaw com>
Date: Fri, 25 May 2001 13:50:05 -0400
hmmm... you could always use the -d option on snort which throws the packet info into text files in subdirectories under /var/log/snort... then in apache you could map the /var/log/snort dir to /snortpackets... that way if you wanted to view the packet info for [naughtyipaddress] you could just hit http://webserver/snortpackets/naughtyipaddress :) Come to think of it it probably wouldn't be that hard to modify snortsnarf to include a link to that directory in the details page if you know perl. --- Tony Buser Programmer/Analyst Unconundrum, Inc. http://www.unconundrum.com -----Original Message----- From: Fred Edwards [mailto:Fred.Edwards () STMARYS CA] Sent: Friday, May 25, 2001 1:41 PM To: Anthony Buser; snort-users () lists sourceforge net Subject: Re: [Snort-users] logging question ah... had a look at that solution... no good for my situation... my server is a single app only box... so no webserver or database can be put on it... especially not a webserver with PHP ;-) and certainly not X-windows if a graphical webbrowser is required... ;-) thanks for the suggestion though... :-) ----- Original Message ----- From: "Anthony Buser" <ABuser () princelaw com> To: <snort-users () lists sourceforge net> Cc: "Fred Edwards" <Fred.Edwards () STMARYS CA> Sent: Friday, May 25, 2001 1:23 PM Subject: RE: [Snort-users] logging question Unfortunately so far as I know SnortSnarf cannot handle the tcpdump data. Which is one reason why I recently switched to Acid (http://www.cert.org/kb/acid/) and used the database logging with snort. So I added a line to my snort.conf like: output database: log, mysql, user=xxx password=xxx dbname=snort host=localhost sensor_name=netmon encoding=hex The encoding=hex at the end puts the tcpdump into the database in hex format which acid automatically turn it into human readable format and show on the acid webpage when you drill down into the details. You can also tell the database plugin to automatically convert to plain text by putting encoding=ascii. That way you could develop your own tools to view it if you don't want to use acid... or I guess maybe modify snortsnarf to show it. --- Tony Buser Programmer/Analyst Unconundrum, Inc. http://www.unconundrum.com -----Original Message----- From: Fred Edwards [mailto:Fred.Edwards () STMARYS CA] Sent: Friday, May 25, 2001 12:09 PM To: Anthony Buser Subject: Re: [Snort-users] logging question I guess I should clarify my question a bit... I am aware of the fact that you can get snort to do a binary "tcpdump" and/or see the packet dump in the machine ip's directory... however... what I was wondering was whether snort can do the packet dump to the alert file itself... I would like this specifically inorder to get SnortSnarf to display the packet dump, as right now my manager calls me up after seeing something suspicious on the snortsnarf webpages and I have to go look at the dump through a ssh session or logging in physically and going to the directory in question... HOWEVER... if someone knows... can snortsnarf be used with a "tcpdump.txt" file as Anthony outlines below in place of the alert file and thereby accomplishing what I'm looking for? ;-) Fred Edwards ----- Original Message ----- From: "Anthony Buser" <ABuser () princelaw com> To: "Fred Edwards" <Fred.Edwards () STMARYS CA>; <snort-users () lists sourceforge net> Sent: Friday, May 25, 2001 12:54 PM Subject: RE: [Snort-users] logging question This is what I do... Start snort like this: snort -d -h 151.197.81.0/24 -l /var/log/snort -c /etc/snort.conf Add a line to your snort.conf like this: output log_tcpdump: snort.tcpdump Then it will log the packet dumps in files named like 0525@1113-snort.tcpdump in your /var/log/snort dir. You can then use snort to convert these files into more human readable format by doing this: snort -r 0525@1113-snort.tcpdump -dve > tcpdump.txt --- Tony Buser Programmer/Analyst Unconundrum, Inc. http://www.unconundrum.com -----Original Message----- From: Fred Edwards [mailto:Fred.Edwards () STMARYS CA] Sent: Friday, May 25, 2001 8:49 AM To: snort-users () lists sourceforge net Subject: [Snort-users] logging question I have a question about the alert log and its format. my alert log generally looks like so for each alert: [**] ICMP Destination Unreachable [**] 05/23-13:30:15.604004 x.x.x.x -> x.x.x.x ICMP TTL:254 TOS:0x0 ID:543 IpLen:20 DgmLen:56 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: x.x.x.x:138 -> x.x.x.x:138 UDP TTL:127 TOS:0x0 ID:53795 IpLen:20 DgmLen:253 Len: 233 ** END OF DUMP is there anyway to have the alert also dump the hex packet/datagram as well like I get in standard output when I issue the snort command "snort -vv -i eth0 -X", for example: 05/24-12:27:08.243426 x.x.x.x:1084 -> x.x.x.x:22 TCP TTL:128 TOS:0x0 ID:21607 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0xC066F581 Ack: 0xD7A63BB4 Win: 0x48 TcpLen: 20 0x0000: 00 E0 29 5A C5 42 00 01 03 02 0D 64 08 00 45 00 ..)Z.B.....d..E. 0x0010: 00 3C 54 67 40 00 80 06 FB B6 8C B8 48 90 8C B8 .<Tg@.......H... 0x0020: 48 9D 04 3C 00 16 C0 66 F5 81 D7 A6 3B B4 50 18 H..<...f....;.P. 0x0030: 00 48 8E 18 00 00 00 00 00 0A 1D 30 9F A2 D0 CE .H.........0.... 0x0040: A9 9D 6A 8C 84 DA 89 3B F9 38 ..j....;.8 or can I get that info dumped into another file... but some way of viewing the contents of the packet AFTER the fact... ============================================ Fred Edwards Library Systems Technician Patrick Power Library Saint Mary's University Halifax, Nova Scotia B3H 3C3 Phone: (902) 420-5096 Fax: (902) 420-5561 E-mail: Fred.Edwards () StMarys ca Website: http://www.stmarys.ca/administration/library/ ============================================ Quis custodiet ipsos custodes? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- logging question Fred Edwards (May 25)
- RE: logging question jan (May 25)
- <Possible follow-ups>
- RE: logging question Anthony Buser (May 25)
- RE: logging question Anthony Buser (May 25)
- Re: logging question Fred Edwards (May 25)
- RE: logging question James Hoagland (May 29)
- RE: logging question Anthony Buser (May 25)
- RE: logging question Gregory Mingus (May 25)