Snort mailing list archives
Re: Packet payload
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 8 Jun 2002 20:11:55 -0700 (PDT)
On Sat, 8 Jun 2002, Ashley Thomas wrote:
When there is a snort alert happens can we see the packet payload that caused this alert ? the logging that was created contained only as much info as the alert... any pointers ?
Perhaps.... First off, we need to know a few things since that makes a difference on how/where to find data. What type of logging? ASCII, Binary? If ASCII the packet payload should be inside the dir you specified with the "-l <dirname>". You should find these files in /var/log/snort unless you picked somewhere else with the commandline switch. It will be broken down in the format <IP>/<type_of_traffic>:<ports>. This is also known as ASCII logging. If it's binary logging ("-b" option) then it's located in the binary file inside of the /var/log/snort dir or wherever you placed it with '-l <logdir>', then simply use 'snort -vader <filename> -l <logdir>' to dump out all the packets in the binary logs. If you're just getting alerts--You can't see the data. You didn't store it anywhere. :( Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Packet payload Ashley Thomas (Jun 08)
- RE: Packet payload Wayne T Work (Jun 08)
- Re: Packet payload Erek Adams (Jun 08)