Snort mailing list archives

Re: packet decodes on full alerts

From: Phil Wood <cpw () lanl gov>
Date: Mon, 19 Nov 2001 15:23:07 -0700

I don't know if this helps, but ...

I use the -b option to log all my alerts to a pcap file.  I post process 
the pcap file using snort and read the pcap file in with the -r option.
The pcap file contains the entire packet. [It's quicker than converting
to hex and writing text files.]

Here is relevant incantation (I left out other switches which set the
logging directory, filenames, and bpf filter):

  % snort -b -N -A none -i eth2 -c /data/pw/scripts/CR.conf

And, here are the relevant config lines:

(In this case I'm only interested in web stuff, so I've limited the
preprocessors included and the alerts that stream4 generates.)

var IDSBASE /data/pw
...
preprocessor frag2
preprocessor stream4: noalerts
preprocessor stream4_reassemble: noalerts
preprocessor http_decode: 80 -unicode -cginull
...
include $IDSBASE/scripts/classification.config
include $IDSBASE/scripts/web-cgi.rules
include $IDSBASE/scripts/web-coldfusion.rules
include $IDSBASE/scripts/web-frontpage.rules
include $IDSBASE/scripts/web-iis.rules
include $IDSBASE/scripts/web-misc.rules
include $IDSBASE/scripts/web-attacks.rules

On Mon, Nov 19, 2001 at 03:36:29PM -0600, Lance Spitzner wrote:

Question on 1.8

I have Snort sending full alerts to a log file.

   output alert_full: /var/adm/snort_alerts

Is there anyway I can get the alerts to include the actual
packet payload of the packet that initiated the alert?  I
have Snort running with the '-d' option, thought that
would do the trick but it is not.  Below are the alerts
I am getting, I would like to get the packet payload also.

Thanks!



[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:49.132647 216.156.130.2:3307 -> 172.16.1.108:80
TCP TTL:115 TOS:0x0 ID:20849 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x83F3751B  Ack: 0xB46F9  Win: 0x2238  TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:49.226834 216.156.130.2:3307 -> 172.16.1.108:80
TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:120
***AP*** Seq: 0x83F3751B  Ack: 0x83F3751B  Win: 0x21E8  TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:59.214308 216.156.130.2:4162 -> 172.16.1.108:80
TCP TTL:115 TOS:0x0 ID:43939 IpLen:20 DgmLen:175 DF
***AP*** Seq: 0x83F382C5  Ack: 0xB46FB  Win: 0x2238  TcpLen: 20

-- 
Lance Spitzner
http://project.honeynet.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

packet decodes on full alerts Lance Spitzner (Nov 19)
- Re: packet decodes on full alerts Erek Adams (Nov 19)
- Re: packet decodes on full alerts Phil Wood (Nov 19)