Re: Logging packet contents in alerts.

[Colin Wu <wucolin () mcmaster ca>]

Why not build tcpdump on your non-snort box and use 'tcpdump -X -r snort.log.file' to extract the contents.  I don't 
see why you need to restart snort to get the data dumped since you're logging application data to tcpdump format file 
anyway.  Am I missing something?  If you just want to checkpoint the snort logs you can send it
a HUP signal.  If you started snort with a -b flag, and using the default log file name snort will create a new binary 
log file with a different timestamp.

Matthew Collins wrote:

> I'm currently using snort 1.7 as the IDS for our company. It is set up to log all packets (and application layer) in 
> tcpdump format. Alerts are recorded to a text file, and also to syslog. I've got a script that checks to see if the 
> alert file has changed, and mails those changes to me. Cron runs this script every 15 minutes.
> This is running very well, alerts pop up on my email now and again (mostly port scans & NetBIOS name service 
> attempts). However, sometimes I get an alert like this. (Our IP address munged)
>
> [**] WEB-IIS global-asa access [**]
> 06/06-15:11:33.932815 207.46.130.57:80 -> aa.bb.cc.dd:1091
> TCP TTL:53 TOS:0x0 ID:287 IpLen:20 DgmLen:1408 DF
> ***A**** Seq: 0x3BB0A9DE  Ack: 0xD30A3988  Win: 0x3B14  TcpLen: 20
>
> Now, this is either,
>
> A. False alarm, move along, nothing to see here.
> B. Someone in our company deciding to do a bit of web defacement in their lunch hour.
>
> Now to check this, I've got to ssh onto the snort box, restart snort, scp the tcpdump log file to my machine, run 
> snort with various options to extract the packet contents and then examine the packet.
> Depending how late in the day this is, this can take some time. (For various reasons, the extract cannot be done on 
> the snort box itself)
>
> If the packet contents were in the alert, I'd be able to tell straight away if this was a false alarm. Is there any 
> way to get snort to do this?
>
> --
>
> ****************************************************************************************
> This message and any attachments are confidential to the ordinary user of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or contain
> viruses. The sender therefore does not accept liability for any errors or
> omissions in the context of this message which arise as a result of Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site: http://www.northernregistrars.co.uk
> ****************************************************************************************
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--

   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050
                                     http://netman.McMaster.CA



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users