Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: session output

From: Costas Magos <kmag () lab epmhs gr>
Date: Mon, 03 Nov 2003 20:19:47 +0200


Matt Kettler wrote:


At 10:03 AM 11/3/2003, Costas Magos wrote:
in my snort.conf, in order to catch the excanged ascii data for all sessions. The snort-output I get is directories named after IP addresses with SESSION:<hi-port>-<lo-port> files (see below an example). What it seems to be confusing for me, is whether the IP addresses used as directory names are the originators or the recipients of the sessions, i.e. did they initialize the session or just accepted it? Under what criteria does snort pick the IP address of the session? How can this IP address be interpreted?
Snort should pick the IP address of the "non-local" address, based on the -H command-line parameter (note that even though this is called "home network" it is not necessarily the the same as HOME_NET in snort.conf, and they are configured separately).
You are right, using the -h parameter things cleared up. Only non-local IP addresses are logged.
If you use no -H parameter, I think it will wind up defaulting to the destination address of whatever packet caused it to alert.
When not using the -h parameter, it seems that the IP addresses used as directories, were from machines that *initiated* the sessions. This was verified against the actual binary, using ethereal. This was true for all sessions except for two IRC sessions, where the session file indicated that a non-local IP from port 6667 initiated a connection toward a local IP from port 6667 (that is, a server connecting to a client...) and ethereal revealed exactly the opposite, the local IP connecting to a remote IRC server. It is for this contradiction, I opened this thread.
Personally, I switched to tcpdump output a long time ago. For speed and disk space reasons I'd recommend it over the plain ASCII mode logging. You can always convert the binary files to ASCII when you need to with tcpdump -xvvr. Tcpdump binary format is also convenient for feeding into a variety of other tools, should you want to do so. 













-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: