Snort mailing list archives
Re: session output
From: Costas Magos <kmag () lab epmhs gr>
Date: Mon, 03 Nov 2003 19:01:17 +0200
Well, actually I do know what I told snort to show me: log printable keystrokes for all sessions. I have added the following rule
log ip any any <> any any (session: printable;)to snort.conf for this reason. This is a small experimental non-production network with a low volume of collected data. Snort is used to capture, log and alert on traffic coming in and going out of that network.
I need help on how to interpet the IP address used in the directories created by snort. Is it the client (did it initiate the session) or the server (did it accept the connection) in the logged sessions?
~kmag P.S. I' m sorry for messing up the original posting. J. wrote:
I'm really not sure I understand your question, but I'm gonna try =) Without knowing how you are using Snort it's hard to be able to tell you what you told snort to show you, especially if you don't know =) These directories are alert logs and contain summary data for alerts. Alerts are generated by snort based on rules. You clearly have defined rules and they are occuring. Perhaps they are not important alerts, but alerts nonetheless... Unless you are logging rather than alerting...but why would anyone do this in ascii?? Scary... HTH. J.-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Costas Magos Sent: Monday, November 03, 2003 8:03 AM To: snort-users () lists sourceforge net Subject: [Snort-users] session output hi all, I apologize if this has been discussed before (probably has), but I have searched in the archives with no luck. I am using snort 1.9.0 on a RH 7.3 machine and I have the rule: log ip any any <> any any (session: printable;) in my snort.conf, in order to catch the excanged ascii data for all sessions. The snort-output I get is directories named after IP addresses with SESSION:<hi-port>-<lo-port> files (see below an example). What it seems to be confusing for me, is whether the IP addresses used as directory names are the originators or the recipients of the sessions, i.e. did they initialize the session or just accepted it? Under what criteria does snort pick the IP address of the session? How can this IP address be interpreted? [kmag@kmag]$ tree |-- 143.101.50.217 | |-- SESSION:2487-80 | `-- SESSION:4961-80 |-- 192.163.247.228 | |-- SESSION:1601-80 | |-- SESSION:2297-80 | |-- SESSION:2812-80 | |-- SESSION:4065-80 | `-- SESSION:4855-80 |-- 192.163.75.1 | |-- SESSION:1025-443 | |-- SESSION:1026-443 | |-- SESSION:1027-443 | |-- SESSION:54923-26 | `-- SESSION:55021-26 |-- 61.134.172.78 | `-- SESSION:4280-80 |-- 62.172.135.202 | |-- SESSION:2386-1433 | |-- SESSION:3345-1433 | |-- SESSION:4195-1433 | `-- SESSION:4198-1433 |-- 81.89.13.95 | |-- SESSION:4605-26 | `-- SESSION:4738-26 Thanks in advance. Kind regards, Costas Magos Internet Systematics Lab NCSR "Demokritos" Athens, Greece ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- session output Costas Magos (Nov 03)
- Re: session output Matt Kettler (Nov 03)
- Re: session output Costas Magos (Nov 04)
- Re: session output Erek Adams (Nov 04)
- Re: session output Costas Magos (Nov 05)
- Re: session output Costas Magos (Nov 04)
- Re: session output Matt Kettler (Nov 03)
- <Possible follow-ups>
- Re: session output Costas Magos (Nov 04)