Snort mailing list archives
RE: Snort with DHCP
From: Erek Adams <erek () snort org>
Date: Sat, 3 May 2003 15:49:15 -0400 (EDT)
On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
Oh I don't want to see the logs in tcpdump format. Now with the configuration I am running, snort is generation two files in /var/log/snort. 1) Alert, which lists the traffic info in an understandable way. 2) snort.log , which has to be decoded to read. I want all the stuff to go into alert file and not in tcpdump format. What should I do for that? Will it be enough if I remove the -b option and keep only -d?
Even if you set the alert mode to 'Full', you won't get any real info in the alert file. For example: [**] [1:498:3] ATTACK RESPONSES id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] 04/11-10:45:33.427621 66.35.250.206:50797 -> 192.168.0.2:25 TCP TTL:51 TOS:0x0 ID:63215 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD8DC285C Ack: 0x62241510 Win: 0x1D50 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1274931858 521985446 Whereas the pcap has the following: 04/11-10:45:33.427621 66.35.250.206:50797 -> 192.168.0.2:25 TCP TTL:51 TOS:0x0 ID:63215 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD8DC285C Ack: 0x62241510 Win: 0x1D50 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1274931858 521985446 41 43 4B 20 52 45 53 50 4F 4E 53 45 53 20 69 64 ACK RESPONSES id 0D 0A 3E 63 68 65 63 6B 20 72 65 74 75 72 6E 65 ..>check returne 64 20 72 6F 6F 74 22 3B 20 63 6F 6E 74 65 6E 74 d root"; content [...rest of packet snipped...] Basically the alert file is there only for you to be able to glance thru and see what's going on. Otherwise it's fairly useless. With the pcap you can actually extract the data that's needed, show it in a standard format, have everything that you would need to give to someone and say 'They were attacking me'. It's got _full_ packet in the pcap, including the payload data. Not just an alert... I'd suggest that you use the binary (pcap) logging in addition to the full alerts, if you can. That will provide the best of both worlds. You'll have all the data from the packet in if you need it, and you'll have a file that you can glance thru without parsing. BTW, If you need to extract data from the pcap file: snort -vdr tcpdump.log.1049980538 'host 66.35.250.206' Was the command that I used to extract that full packet from the pcap. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- Re: Snort with DHCP Erek Adams (May 02)
- Re: Snort with DHCP David Alonso De La Vega Tapage (May 02)
- <Possible follow-ups>
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 03)
- Re: Snort with DHCP Erek Adams (May 02)