Snort mailing list archives
Re: packet decodes on full alerts
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 19 Nov 2001 13:47:01 -0800 (PST)
On Mon, 19 Nov 2001, Lance Spitzner wrote:
Question on 1.8 I have Snort sending full alerts to a log file. output alert_full: /var/adm/snort_alerts Is there anyway I can get the alerts to include the actual packet payload of the packet that initiated the alert? I have Snort running with the '-d' option, thought that would do the trick but it is not. Below are the alerts I am getting, I would like to get the packet payload also.
You can't get it into the snort_alerts file. The alerts file(s) are the alerts and packet headers only. If you want to get the full payload, log to binary, and then post process the binary log file. Use something like 'snort -dvr <binary file> -l <logdir>' and it will break down all the packets in the binary file to the decoded output in <logdir>/<IP Address>/ . If you don't want all alerts, be sure and use a BPF filter at the end to only get what you want to see "host foo" or "port foo". Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet decodes on full alerts Lance Spitzner (Nov 19)
- Re: packet decodes on full alerts Erek Adams (Nov 19)
- Re: packet decodes on full alerts Phil Wood (Nov 19)