Snort mailing list archives

Alert messages in packet dumps

From: Neil Dickey <neil () geol niu edu>
Date: Wed, 9 Apr 2003 13:36:38 -0500 (CDT)

I've read the Snort manual, the man page, and checked the FAQ, but I
haven't found the answer to my problem. First, here's what I'm running:

Snort version 2.0.0.rc3
Solaris 2.7

Alerts are going into an ASCII alert file, and the packets are stored
in a tcpdump-format file. This is the relevant entry in my snort.conf
file:

output log_tcpdump: /$LOGPATH/tcpdump.log

Here is my command line for invoking Snort in daemon mode:

snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o -k none

This is what I'm currently using to translate the tcpdump file:

snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE

The problem is that when I decode the tcpdump file I haven't found a way
to get the alert messages to be written with the packet headers and contents
that the associated rule generated. Here's what I get when I don't use
the tcpdump output option:

[**] WEB-CGI formmail access [**]
04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 len:0x10A
bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 DgmLen:252 DF
***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb.
99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi
2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl
[ ... ]

Here's all I can get so far when I decode the tcpdump output:

04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 len:0x10A
bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 DgmLen:252 DF
***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb.
99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi
2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl
[ ... ]

If I include the Snort configuration file on the command line I use to
translate the tcpdump file ...

-c $RULESPATH/$RULESNAME

... the output is then in "alert" format, that is, in chronological order
and all in one file, rather than having the packets stored in individual
subdirectories named for the external net IP address -- which is what I
want.

So, how do I use the tcpdump-format data to extract packet captures, with
headers, sorted by the external net IP address, that also include the alert
message for each packet? Any help will be very much appreciated.

On another note, Erek Adams posted some links yesterday to guidelines
on using the Snort list and I particularly noticed the comments regarding
the outlandish disclaimers, warnings, and confidentiality statements, now
so much in vogue. I encountered a remarkably egregious one on another
list I read, and couldn't resist parodying it. So don't freak, or drink
yourself blotto if you're playing the game, when you see the one below.
It's a joke, obviously, but it's not *too* far from the original. Honest.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

**********************************************************************

This e-mail and any file(s) transmitted with it are TOP SECRET and
not intended to be read by anybody, let alone by you. If you have
received this e-mail, then you must destroy it immediately, unread,
by eating it, or men who wear black suits and dark glasses will
whisk you away to a remote, secure, and undisclosed location, there
to do unspeakable things to your tender parts. If you haven't
received this e-mail, and never do, then you are probably safe for
the time being.

This footnote also confirms that this message has been swept to the
best of our current abilities to remove dust, pet dander, pollen,
beach sand, Britney Spears, and any rational content that may have
inadvertently been included in it. You should NOT take this as any
guarantee or warrant that such material is free of computer viruses,
worms, or the like, and if you really ARE willing to trust people
far away, whom you've never met and never will, who are running
software you are not familiar with, to keep YOUR OWN computer virus-
free, then you have no business being within arm's reach of anything
that is connected to the internet.

Occasionally electronic communications are monitored and stored in
convenient databases by the Men-In-Black-Suits mentioned above, by
various crackers, terrorists, thieves, pornographers, foreign
governments, and your next-door neighbor's kid, in order that they
may keep tabs on what you are doing. These people are not obliged
in any effective manner to respect some right to privacy you may
think you enjoy, and, as a matter of fact, derive endless amusement
from your profoundly naive assumption that it exists. Skeptical?
Have a look here, and don't neglect the back issues:

http://www.phrack.org/

**********************************************************************

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert messages in packet dumps Neil Dickey (Apr 09)
- <Possible follow-ups>
- Re: Alert messages in packet dumps Neil Dickey (Apr 14)
  - Re: Alert messages in packet dumps Edin Dizdarevic (Apr 14)