Snort mailing list archives
Re: session output
From: Costas Magos <kmag () lab epmhs gr>
Date: Mon, 03 Nov 2003 20:19:47 +0200
Matt Kettler wrote:
You are right, using the -h parameter things cleared up. Only non-local IP addresses are logged.At 10:03 AM 11/3/2003, Costas Magos wrote:in my snort.conf, in order to catch the excanged ascii data for all sessions. The snort-output I get is directories named after IP addresses with SESSION:<hi-port>-<lo-port> files (see below an example). What it seems to be confusing for me, is whether the IP addresses used as directory names are the originators or the recipients of the sessions, i.e. did they initialize the session or just accepted it? Under what criteria does snort pick the IP address of the session? How can this IP address be interpreted?Snort should pick the IP address of the "non-local" address, based on the -H command-line parameter (note that even though this is called "home network" it is not necessarily the the same as HOME_NET in snort.conf, and they are configured separately).
If you use no -H parameter, I think it will wind up defaulting to the destination address of whatever packet caused it to alert.When not using the -h parameter, it seems that the IP addresses used as directories, were from machines that *initiated* the sessions. This was verified against the actual binary, using ethereal. This was true for all sessions except for two IRC sessions, where the session file indicated that a non-local IP from port 6667 initiated a connection toward a local IP from port 6667 (that is, a server connecting to a client...) and ethereal revealed exactly the opposite, the local IP connecting to a remote IRC server. It is for this contradiction, I opened this thread.
Personally, I switched to tcpdump output a long time ago. For speed and disk space reasons I'd recommend it over the plain ASCII mode logging. You can always convert the binary files to ASCII when you need to with tcpdump -xvvr. Tcpdump binary format is also convenient for feeding into a variety of other tools, should you want to do so.
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- session output Costas Magos (Nov 03)
- Re: session output Matt Kettler (Nov 03)
- Re: session output Costas Magos (Nov 04)
- Re: session output Erek Adams (Nov 04)
- Re: session output Costas Magos (Nov 05)
- Re: session output Costas Magos (Nov 04)
- Re: session output Matt Kettler (Nov 03)
- <Possible follow-ups>
- Re: session output Costas Magos (Nov 04)