![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Logging packet contents in alerts.
From: "Matthew Collins" <Matthew.Collins () northernregistrars co uk>
Date: Thu, 07 Jun 2001 08:53:54 +0100
That's what I do at the moment. That's what I'm trying to avoid. At the moment, snort logs to binary files, I use the -b option. To get the packet contents I ssh to the snort box, send snort a HUP so it closes the file & opens a new one. I then scp this to my machine, run snort on my machine against the binary file to extract the packet contents and then I examine the packet. This takes ~ 15 minutes to do, for every false alarm. If it is towards the end of the day, the binary file can be > 400MB. If I could see the packet contents in the alert, It would take me about 10 seconds to look at the packet and see if it's a false alarm or not. That's what I'm asking, is there any way to get snort to log packet contents in the alert?
Colin Wu <wucolin () mcmaster ca> 06/06/01 17:35:14 >>>
Why not build tcpdump on your non-snort box and use 'tcpdump -X -r snort.log.file' to extract the contents. I don't see why you need to restart snort to get the data dumped since you're logging application data to tcpdump format file anyway. Am I missing something? If you just want to checkpoint the snort logs you can send it a HUP signal. If you started snort with a -b flag, and using the default log file name snort will create a new binary log file with a different timestamp. **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging packet contents in alerts. Matthew Collins (Jun 06)
- Re: Logging packet contents in alerts. Colin Wu (Jun 06)
- <Possible follow-ups>
- Re: Logging packet contents in alerts. Matthew Collins (Jun 07)