matching logs..

["Ashley Thomas" <athomas () cc gatech edu>]

Hi,

I was trying to make sense out of the logs i got while running snort.

I ran snort in two modes

1. ./snort -i eth1 -c snort.conf -llog-dir

i get an alert

[**] SHELLCODE x86 setgid 0 [**]
06/06-00:19:41.157463 A.B.C.D:14630 -> P.Q.R.S:4369
TCP TTL:62 TOS:0x0 ID:51704 IpLen:20 DgmLen:1480 DF
***A**** Seq: 0xF2FC9838  Ack: 0x5EC73BBF  Win: 0x16D0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

2. I had also ran snort as
./snort -dve -i eth1 -llog-dir2

There should be a corresponding entry for this alert in log-dir2 also ,
right ?

I see lot of files TCP:port1-port2 where port1-port2 are numbers

Now i look for the combination 14630:4369 since the alert is that combo.
In fact there is a file TCP:14630-4369 but
it shows
all the logs having P.Q.R.S:4369 -> A.B.C.D:14630 EXACTLY opposite as in the
alert !!
----------------------------------------------------------------------------
----------
and there is no file TCP:4369-14630 !!

Why is the direction shown in the opposite direction ? Does that mean
something..
If anyone could clarify it would be great !


thanks




_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users