Re: Alert messages in packet dumps

[Neil Dickey <neil () geol niu edu>]

I solved my problem, described below in my post to the list last week,
by abandoning the tcpdump format output.  I would have liked to use it
because it is faster and more economical of space, but I never could
get it to do what I wanted it to and thought it should.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

> I've read the Snort manual, the man page, and checked the FAQ, but I
> haven't found the answer to my problem.  First, here's what I'm running:
>
>  Snort version 2.0.0.rc3
>  Solaris 2.7
>
> Alerts are going into an ASCII alert file, and the packets are stored
> in a tcpdump-format file.  This is the relevant entry in my snort.conf
> file:
>
>  output log_tcpdump: /$LOGPATH/tcpdump.log
>
> Here is my command line for invoking Snort in daemon mode:
>
>  snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME 
-o -k none
> This is what I'm currently using to translate the tcpdump file:
>
>  snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE
>
> The problem is that when I decode the tcpdump file I haven't found a way
> to get the alert messages to be written with the packet headers and contents
> that the associated rule generated.  Here's what I get when I don't use
> the tcpdump output option:
>
> [**] WEB-CGI formmail access [**]
> 04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 
len:0x10A
> bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 
DgmLen:252 DF
> ***AP*** Seq: 0x1101259E  Ack: 0xDA5E3BE7  Win: 0x2238  TcpLen: 20
> 47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99  GET http://wweb.
> 99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69  serv.uni.edu/cgi
> 2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C  -bin/formmail.pl
> [ ... ]
>
> Here's all I can get so far when I decode the tcpdump output:
>
> 04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 
len:0x10A
> bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 
DgmLen:252 DF
> ***AP*** Seq: 0x1101259E  Ack: 0xDA5E3BE7  Win: 0x2238  TcpLen: 20
> 47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99  GET http://wweb.
> 99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69  serv.uni.edu/cgi
> 2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C  -bin/formmail.pl
> [ ... ]
>
> If I include the Snort configuration file on the command line I use to
> translate the tcpdump file ...
>
>  -c $RULESPATH/$RULESNAME
>
> ... the output is then in "alert" format, that is, in chronological order
> and all in one file, rather than having the packets stored in individual
> subdirectories named for the external net IP address -- which is what I
> want.
>
> So, how do I use the tcpdump-format data to extract packet captures, with
> headers, sorted by the external net IP address, that also include the alert
> message for each packet?  Any help will be very much appreciated.
[ .... ]


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users