Snort mailing list archives
Re: SNORT Alert Messages
From: Y M via Snort-devel <snort-devel () lists snort org>
Date: Sun, 10 Jun 2018 00:21:06 +0000
Comments inline. ________________________________
Hello again everyone,
I want to learn which alert belongs to which packet when SNORT prints alert messages. Is there any unique parameter that identifies packets?
Such questions are better suited to the snort-user list. You will probably catch wider audience there.
For example, when I give a pcap file which includes more than 50.000 packets inside to SNORT, I want to see alert messages like that:
[some alert] - Packet ID: 125 [some alert] - Packet ID: 200 [some alert] - Packet ID: 1456 . . . [some alert] - Packet ID: 23500
Which Snort version are we talking about here?
If there not exist unique parameter for packets, how can I learn which alert belongs to which packet from alert messages ?
By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.
Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT Alert Messages İzzettin Erdem via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Marcin Dulak via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Russ via Snort-devel (Jun 09)
- <Possible follow-ups>
- SNORT Alert Messages İzzettin Erdem via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Russ via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)