Snort mailing list archives
Logging packet contents in alerts.
From: "Matthew Collins" <Matthew.Collins () northernregistrars co uk>
Date: Wed, 06 Jun 2001 17:10:16 +0100
I'm currently using snort 1.7 as the IDS for our company. It is set up to log all packets (and application layer) in tcpdump format. Alerts are recorded to a text file, and also to syslog. I've got a script that checks to see if the alert file has changed, and mails those changes to me. Cron runs this script every 15 minutes. This is running very well, alerts pop up on my email now and again (mostly port scans & NetBIOS name service attempts). However, sometimes I get an alert like this. (Our IP address munged) [**] WEB-IIS global-asa access [**] 06/06-15:11:33.932815 207.46.130.57:80 -> aa.bb.cc.dd:1091 TCP TTL:53 TOS:0x0 ID:287 IpLen:20 DgmLen:1408 DF ***A**** Seq: 0x3BB0A9DE Ack: 0xD30A3988 Win: 0x3B14 TcpLen: 20 Now, this is either, A. False alarm, move along, nothing to see here. B. Someone in our company deciding to do a bit of web defacement in their lunch hour. Now to check this, I've got to ssh onto the snort box, restart snort, scp the tcpdump log file to my machine, run snort with various options to extract the packet contents and then examine the packet. Depending how late in the day this is, this can take some time. (For various reasons, the extract cannot be done on the snort box itself) If the packet contents were in the alert, I'd be able to tell straight away if this was a false alarm. Is there any way to get snort to do this? -- **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging packet contents in alerts. Matthew Collins (Jun 06)
- Re: Logging packet contents in alerts. Colin Wu (Jun 06)
- <Possible follow-ups>
- Re: Logging packet contents in alerts. Matthew Collins (Jun 07)