Snort mailing list archives
Re: Logging packet contents in alerts.
From: Colin Wu <wucolin () mcmaster ca>
Date: Wed, 06 Jun 2001 12:35:14 -0400
Why not build tcpdump on your non-snort box and use 'tcpdump -X -r snort.log.file' to extract the contents. I don't see why you need to restart snort to get the data dumped since you're logging application data to tcpdump format file anyway. Am I missing something? If you just want to checkpoint the snort logs you can send it a HUP signal. If you started snort with a -b flag, and using the default log file name snort will create a new binary log file with a different timestamp. Matthew Collins wrote:
I'm currently using snort 1.7 as the IDS for our company. It is set up to log all packets (and application layer) in tcpdump format. Alerts are recorded to a text file, and also to syslog. I've got a script that checks to see if the alert file has changed, and mails those changes to me. Cron runs this script every 15 minutes. This is running very well, alerts pop up on my email now and again (mostly port scans & NetBIOS name service attempts). However, sometimes I get an alert like this. (Our IP address munged) [**] WEB-IIS global-asa access [**] 06/06-15:11:33.932815 207.46.130.57:80 -> aa.bb.cc.dd:1091 TCP TTL:53 TOS:0x0 ID:287 IpLen:20 DgmLen:1408 DF ***A**** Seq: 0x3BB0A9DE Ack: 0xD30A3988 Win: 0x3B14 TcpLen: 20 Now, this is either, A. False alarm, move along, nothing to see here. B. Someone in our company deciding to do a bit of web defacement in their lunch hour. Now to check this, I've got to ssh onto the snort box, restart snort, scp the tcpdump log file to my machine, run snort with various options to extract the packet contents and then examine the packet. Depending how late in the day this is, this can take some time. (For various reasons, the extract cannot be done on the snort box itself) If the packet contents were in the alert, I'd be able to tell straight away if this was a false alarm. Is there any way to get snort to do this? -- **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- __ _ _ Network Analyst / ) // ' ) / Computing & Information Services / __|/ o ____ / / / . . McMaster University (__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050 http://netman.McMaster.CA _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging packet contents in alerts. Matthew Collins (Jun 06)
- Re: Logging packet contents in alerts. Colin Wu (Jun 06)
- <Possible follow-ups>
- Re: Logging packet contents in alerts. Matthew Collins (Jun 07)