Snort mailing list archives
Re: Alert messages in packet dumps
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 14 Apr 2003 08:45:59 -0500 (CDT)
I solved my problem, described below in my post to the list last week, by abandoning the tcpdump format output. I would have liked to use it because it is faster and more economical of space, but I never could get it to do what I wanted it to and thought it should. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
I've read the Snort manual, the man page, and checked the FAQ, but I haven't found the answer to my problem. First, here's what I'm running: Snort version 2.0.0.rc3 Solaris 2.7 Alerts are going into an ASCII alert file, and the packets are stored in a tcpdump-format file. This is the relevant entry in my snort.conf file: output log_tcpdump: /$LOGPATH/tcpdump.log Here is my command line for invoking Snort in daemon mode: snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME
-o -k none
This is what I'm currently using to translate the tcpdump file: snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE The problem is that when I decode the tcpdump file I haven't found a way to get the alert messages to be written with the packet headers and contents that the associated rule generated. Here's what I get when I don't use the tcpdump output option: [**] WEB-CGI formmail access [**] 04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800
len:0x10A
bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20
DgmLen:252 DF
***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20 47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb. 99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi 2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl [ ... ] Here's all I can get so far when I decode the tcpdump output: 04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800
len:0x10A
bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20
DgmLen:252 DF
***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20 47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb. 99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi 2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl [ ... ] If I include the Snort configuration file on the command line I use to translate the tcpdump file ... -c $RULESPATH/$RULESNAME ... the output is then in "alert" format, that is, in chronological order and all in one file, rather than having the packets stored in individual subdirectories named for the external net IP address -- which is what I want. So, how do I use the tcpdump-format data to extract packet captures, with headers, sorted by the external net IP address, that also include the alert message for each packet? Any help will be very much appreciated.
[ .... ] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert messages in packet dumps Neil Dickey (Apr 09)
- <Possible follow-ups>
- Re: Alert messages in packet dumps Neil Dickey (Apr 14)
- Re: Alert messages in packet dumps Edin Dizdarevic (Apr 14)