Snort mailing list archives
Alert messages in packet dumps
From: Neil Dickey <neil () geol niu edu>
Date: Wed, 9 Apr 2003 13:36:38 -0500 (CDT)
I've read the Snort manual, the man page, and checked the FAQ, but I haven't found the answer to my problem. First, here's what I'm running: Snort version 2.0.0.rc3 Solaris 2.7 Alerts are going into an ASCII alert file, and the packets are stored in a tcpdump-format file. This is the relevant entry in my snort.conf file: output log_tcpdump: /$LOGPATH/tcpdump.log Here is my command line for invoking Snort in daemon mode: snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o -k none This is what I'm currently using to translate the tcpdump file: snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE The problem is that when I decode the tcpdump file I haven't found a way to get the alert messages to be written with the packet headers and contents that the associated rule generated. Here's what I get when I don't use the tcpdump output option: [**] WEB-CGI formmail access [**] 04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 len:0x10A bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 DgmLen:252 DF ***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20 47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb. 99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi 2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl [ ... ] Here's all I can get so far when I decode the tcpdump output: 04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 len:0x10A bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 DgmLen:252 DF ***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20 47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb. 99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi 2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl [ ... ] If I include the Snort configuration file on the command line I use to translate the tcpdump file ... -c $RULESPATH/$RULESNAME ... the output is then in "alert" format, that is, in chronological order and all in one file, rather than having the packets stored in individual subdirectories named for the external net IP address -- which is what I want. So, how do I use the tcpdump-format data to extract packet captures, with headers, sorted by the external net IP address, that also include the alert message for each packet? Any help will be very much appreciated. On another note, Erek Adams posted some links yesterday to guidelines on using the Snort list and I particularly noticed the comments regarding the outlandish disclaimers, warnings, and confidentiality statements, now so much in vogue. I encountered a remarkably egregious one on another list I read, and couldn't resist parodying it. So don't freak, or drink yourself blotto if you're playing the game, when you see the one below. It's a joke, obviously, but it's not *too* far from the original. Honest. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ********************************************************************** This e-mail and any file(s) transmitted with it are TOP SECRET and not intended to be read by anybody, let alone by you. If you have received this e-mail, then you must destroy it immediately, unread, by eating it, or men who wear black suits and dark glasses will whisk you away to a remote, secure, and undisclosed location, there to do unspeakable things to your tender parts. If you haven't received this e-mail, and never do, then you are probably safe for the time being. This footnote also confirms that this message has been swept to the best of our current abilities to remove dust, pet dander, pollen, beach sand, Britney Spears, and any rational content that may have inadvertently been included in it. You should NOT take this as any guarantee or warrant that such material is free of computer viruses, worms, or the like, and if you really ARE willing to trust people far away, whom you've never met and never will, who are running software you are not familiar with, to keep YOUR OWN computer virus- free, then you have no business being within arm's reach of anything that is connected to the internet. Occasionally electronic communications are monitored and stored in convenient databases by the Men-In-Black-Suits mentioned above, by various crackers, terrorists, thieves, pornographers, foreign governments, and your next-door neighbor's kid, in order that they may keep tabs on what you are doing. These people are not obliged in any effective manner to respect some right to privacy you may think you enjoy, and, as a matter of fact, derive endless amusement from your profoundly naive assumption that it exists. Skeptical? Have a look here, and don't neglect the back issues: http://www.phrack.org/ ********************************************************************** ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert messages in packet dumps Neil Dickey (Apr 09)
- <Possible follow-ups>
- Re: Alert messages in packet dumps Neil Dickey (Apr 14)
- Re: Alert messages in packet dumps Edin Dizdarevic (Apr 14)