Snort mailing list archives
Re: packet decodes on full alerts
From: Phil Wood <cpw () lanl gov>
Date: Mon, 19 Nov 2001 15:23:07 -0700
I don't know if this helps, but ... I use the -b option to log all my alerts to a pcap file. I post process the pcap file using snort and read the pcap file in with the -r option. The pcap file contains the entire packet. [It's quicker than converting to hex and writing text files.] Here is relevant incantation (I left out other switches which set the logging directory, filenames, and bpf filter): % snort -b -N -A none -i eth2 -c /data/pw/scripts/CR.conf And, here are the relevant config lines: (In this case I'm only interested in web stuff, so I've limited the preprocessors included and the alerts that stream4 generates.) var IDSBASE /data/pw ... preprocessor frag2 preprocessor stream4: noalerts preprocessor stream4_reassemble: noalerts preprocessor http_decode: 80 -unicode -cginull ... include $IDSBASE/scripts/classification.config include $IDSBASE/scripts/web-cgi.rules include $IDSBASE/scripts/web-coldfusion.rules include $IDSBASE/scripts/web-frontpage.rules include $IDSBASE/scripts/web-iis.rules include $IDSBASE/scripts/web-misc.rules include $IDSBASE/scripts/web-attacks.rules On Mon, Nov 19, 2001 at 03:36:29PM -0600, Lance Spitzner wrote:
Question on 1.8 I have Snort sending full alerts to a log file. output alert_full: /var/adm/snort_alerts Is there anyway I can get the alerts to include the actual packet payload of the packet that initiated the alert? I have Snort running with the '-d' option, thought that would do the trick but it is not. Below are the alerts I am getting, I would like to get the packet payload also. Thanks! [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 11/19-20:49:49.132647 216.156.130.2:3307 -> 172.16.1.108:80 TCP TTL:115 TOS:0x0 ID:20849 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x83F3751B Ack: 0xB46F9 Win: 0x2238 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 11/19-20:49:49.226834 216.156.130.2:3307 -> 172.16.1.108:80 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:120 ***AP*** Seq: 0x83F3751B Ack: 0x83F3751B Win: 0x21E8 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 11/19-20:49:59.214308 216.156.130.2:4162 -> 172.16.1.108:80 TCP TTL:115 TOS:0x0 ID:43939 IpLen:20 DgmLen:175 DF ***AP*** Seq: 0x83F382C5 Ack: 0xB46FB Win: 0x2238 TcpLen: 20 -- Lance Spitzner http://project.honeynet.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet decodes on full alerts Lance Spitzner (Nov 19)
- Re: packet decodes on full alerts Erek Adams (Nov 19)
- Re: packet decodes on full alerts Phil Wood (Nov 19)