Snort mailing list archives

Re: session output

From: Costas Magos <kmag () lab epmhs gr>
Date: Mon, 03 Nov 2003 19:01:17 +0200

Well, actually I do know what I told snort to show me: log printablekeystrokes for all sessions. I have added the following rule


log ip any any <> any any (session: printable;)

to snort.conf for this reason. This is a small experimentalnon-production network with a low volume of collected data. Snort isused to capture, log and alert on traffic coming in and going out ofthat network.

I need help on how to interpet the IP address used in the directoriescreated by snort. Is it the client (did it initiate the session) or theserver (did it accept the connection) in the logged sessions?


~kmag

P.S. I' m sorry for messing up the original posting.

J. wrote:

I'm really not sure I understand your question, but I'm gonna try =)

Without knowing how you are using Snort it's hard to be able to tell you
what you told snort to show you, especially if you don't know =)

These directories are alert logs and contain summary data for alerts.

Alerts are generated by snort based on rules.  You clearly have defined
rules and they are occuring.

Perhaps they are not important alerts, but alerts nonetheless...

Unless you are logging rather than alerting...but why would anyone do this
in ascii??  Scary...

HTH.

J.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Costas Magos
Sent: Monday, November 03, 2003 8:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] session output

hi all,

I apologize if this has been discussed before (probably has), but I have
searched in the archives with no luck. I am using snort 1.9.0 on a RH
7.3 machine and I have the rule:

log ip any any <> any any (session: printable;)

in my snort.conf, in order to catch the excanged ascii data for all
sessions. The snort-output I get is directories named after IP addresses
with SESSION:<hi-port>-<lo-port> files (see below an example). What it
seems to be confusing for me, is whether the IP addresses used as
directory names are the originators or the recipients of the sessions,
i.e. did they initialize the session or just accepted it? Under what
criteria does snort pick the IP address of the session? How can this IP
address be interpreted?

[kmag@kmag]$ tree
|-- 143.101.50.217
|   |-- SESSION:2487-80
|   `-- SESSION:4961-80
|-- 192.163.247.228
|   |-- SESSION:1601-80
|   |-- SESSION:2297-80
|   |-- SESSION:2812-80
|   |-- SESSION:4065-80
|   `-- SESSION:4855-80
|-- 192.163.75.1
|   |-- SESSION:1025-443
|   |-- SESSION:1026-443
|   |-- SESSION:1027-443
|   |-- SESSION:54923-26
|   `-- SESSION:55021-26
|-- 61.134.172.78
|   `-- SESSION:4280-80
|-- 62.172.135.202
|   |-- SESSION:2386-1433
|   |-- SESSION:3345-1433
|   |-- SESSION:4195-1433
|   `-- SESSION:4198-1433
|-- 81.89.13.95
|   |-- SESSION:4605-26
|   `-- SESSION:4738-26

Thanks in advance. Kind regards,

Costas Magos
Internet Systematics Lab
NCSR "Demokritos"
Athens, Greece

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

session output Costas Magos (Nov 03)
- Re: session output Matt Kettler (Nov 03)
  - Re: session output Costas Magos (Nov 04)
    - Re: session output Erek Adams (Nov 04)
    - Re: session output Costas Magos (Nov 05)
- <Possible follow-ups>
- Re: session output Costas Magos (Nov 04)