Re: packet decodes on full alerts

[Erek Adams <erek () theadamsfamily net>]

On Mon, 19 Nov 2001, Lance Spitzner wrote:

> Question on 1.8
>
> I have Snort sending full alerts to a log file.
>
>    output alert_full: /var/adm/snort_alerts
>
> Is there anyway I can get the alerts to include the actual
> packet payload of the packet that initiated the alert?  I
> have Snort running with the '-d' option, thought that
> would do the trick but it is not.  Below are the alerts
> I am getting, I would like to get the packet payload also.

You can't get it into the snort_alerts file.  The alerts file(s) are the
alerts and packet headers only.  If you want to get the full payload, log to
binary, and then post process the binary log file.  Use something like 'snort
-dvr <binary file> -l <logdir>' and it will break down all the packets in the
binary file to the decoded output in <logdir>/<IP Address>/ .  If you don't
want all alerts, be sure and use a BPF filter at the end to only get what you
want to see "host foo" or "port foo".

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users