Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet contents?

From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 31 Jul 2001 13:50:55 -0700
Hello Joerg,

If you use -d, it will log the packet contents under the IP address
subdirectories in Snort's log directory.  Log viewers such as SnortSnarf
will parse this.  ACID will show the payload as well. 

If you want the packet contents in a single "alert" file, I suppose you
could log alerts in tcpdump format using -b, roll over the logs and read
it back into Snort using -r, and direct it into a file.

example:

# snort -c vision.conf -l . -db
.. tick .. tock .. tick .. tock
# killall snort
# ls
alert  port scan.log  snort-0731 () 1346 log
# snort -dvr snort-0731 () 1346 log > alert_and_payload

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Joerg Weber wrote:


Ladies, Gentlemen,

I had a look through the archieves and saw that similar questions came up
before but no real 'easy' answers were found.
I'd simply like to get the packet content of packets which trigger some of
my rules logged to a file. That doesn't have to be the alert file itself
(would be nice, but that's been asked before and answered being impossible).
Could someone tell me how to do that?

Thanks alot,

Joerg

------------------------------------------------------------
Joerg Weber, Systemadministration
JET Online GmbH
Altenkesseler Straße 17 / Geb. B5
66115 Saarbruecken
mailto:joerg.weber () jet-online de
http://www.jet-online.de
Nihil tam munitum quod non expugnari pecuna possit.
------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: