Snort mailing list archives
Re: How to review actual packets?
From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 10:51:16 -0700
Paul:I'm logging in -b binary mode, and because of the small volume of traffic here, I log everything.
Then, when I want to see what's going on, I have an alias in my .bashrc that says:
alias snortview='snort -dv -r 'So when I want to look at a binary log, I say "snortview snort0608 () 0606 log | more" and off I go...
I can also do stuff like "snortview snort0608 () 0606 log 'tcp[3] = 53 ' for example, and it shows me tcp stuff coming into port 53... That kind of thing gets into learning the syntax in man(1) tcpdump.
I do a full scan on logs using another alias:alias snortcheck='snort -dv -l . -c /usr/local/snort-1.7/snortcheck.conf -r '
And then I say "snortcheck snort0608 () 0606 log" and it checks the log against the rules in snortcheck.conf
...one way to do it, anyway. - John Sheahan, Paul (PCLN-NW) wrote:
Hello, I'm new to Snort and just installed my first server on Red Hat Linux 7.0. I am trying to identify why certain machines are setting off alarms. I need to view the actual packets that were sent by the machine so I can see what URL they went to etc. How can I view this info in Snort? I've already looked at our web logs and they don't contain the info I need. I need actual sniffer traces. Any help would be appreciated! Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to review actual packets? Sheahan, Paul (PCLN-NW) (Jun 11)
- Re: How to review actual packets? Chris Green (Jun 11)
- Logging Question Jim Kipp (Jun 11)
- Re: Logging Question Phil Wood (Jun 11)
- Re: Logging Question Rich Adamson (Jun 11)
- Logging Question Jim Kipp (Jun 11)
- Re: How to review actual packets? John Sage (Jun 11)
- Re: How to review actual packets? Chris Green (Jun 11)