Snort mailing list archives
Re: matching logs..
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 6 Jun 2002 11:08:31 -0700 (PDT)
On Thu, 6 Jun 2002, Ashley Thomas wrote:
I was trying to make sense out of the logs i got while running snort.
[...snip...]
[**] SHELLCODE x86 setgid 0 [**] 06/06-00:19:41.157463 A.B.C.D:14630 -> P.Q.R.S:4369 TCP TTL:62 TOS:0x0 ID:51704 IpLen:20 DgmLen:1480 DF ***A**** Seq: 0xF2FC9838 Ack: 0x5EC73BBF Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 2. I had also ran snort as ./snort -dve -i eth1 -llog-dir2 There should be a corresponding entry for this alert in log-dir2 also , right ? I see lot of files TCP:port1-port2 where port1-port2 are numbers Now i look for the combination 14630:4369 since the alert is that combo. In fact there is a file TCP:14630-4369 but it shows all the logs having P.Q.R.S:4369 -> A.B.C.D:14630 EXACTLY opposite as in the alert !! ---------------------------------------------------------------------------- ---------- and there is no file TCP:4369-14630 !! Why is the direction shown in the opposite direction ? Does that mean something.. If anyone could clarify it would be great !
[...snip...]
This could be quite normal. From:
http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.3
"Of course, this assumes you have a directory named "log" in the current
directory. If you don't, Snort will exit with an error message.
When Snort runs in this mode, it collects every packet it sees and places it
in a directory hierarchy based upon the IP address of one of
the hosts in the datagram.
If you just specify a plain "-l" switch, you may notice that Snort sometimes
uses the address of the remote computer as the directory in
which it places packets, and sometimes it uses the local host address. In
order to log relative to the home network, you need to tell
Snort which network is the home network:
./snort -dev -l ./log -h 192.168.1.0/24
This rule tells Snort that you want to print out the data link and TCP/IP
headers as well as application data into the directory ./log,
and you want to log the packets relative to the 192.168.1.0 class C network.
All incoming packets will be recorded into subdirectories of
the log directory, with the directory names being based on the address of the
remote (non-192.168.1) host. Note that if both hosts are on
the home network, then they are recorded based upon the higher of the two's
port numbers, or in the case of a tie, the source address. "
From your command line, you don't have -h set, so I'm guessing that's what
happened. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- matching logs.. Ashley Thomas (Jun 06)
- RE: matching logs.. Ashley Thomas (Jun 06)
- Re: matching logs.. Erek Adams (Jun 06)
- syslog Don (Jun 06)
- Re: syslog Erek Adams (Jun 06)
- RE: syslog Jeff Dell (Jun 06)
- RE: syslog Don (Jun 06)
- SQL login attempts Don (Jun 07)
- syslog Don (Jun 06)