Snort mailing list archives
session output
From: Costas Magos <kmag () lab epmhs gr>
Date: Mon, 03 Nov 2003 17:03:07 +0200
hi all,I apologize if this has been discussed before (probably has), but I have searched in the archives with no luck. I am using snort 1.9.0 on a RH 7.3 machine and I have the rule:
log ip any any <> any any (session: printable;)in my snort.conf, in order to catch the excanged ascii data for all sessions. The snort-output I get is directories named after IP addresses with SESSION:<hi-port>-<lo-port> files (see below an example). What it seems to be confusing for me, is whether the IP addresses used as directory names are the originators or the recipients of the sessions, i.e. did they initialize the session or just accepted it? Under what criteria does snort pick the IP address of the session? How can this IP address be interpreted?
[kmag@kmag]$ tree |-- 143.101.50.217 | |-- SESSION:2487-80 | `-- SESSION:4961-80 |-- 192.163.247.228 | |-- SESSION:1601-80 | |-- SESSION:2297-80 | |-- SESSION:2812-80 | |-- SESSION:4065-80 | `-- SESSION:4855-80 |-- 192.163.75.1 | |-- SESSION:1025-443 | |-- SESSION:1026-443 | |-- SESSION:1027-443 | |-- SESSION:54923-26 | `-- SESSION:55021-26 |-- 61.134.172.78 | `-- SESSION:4280-80 |-- 62.172.135.202 | |-- SESSION:2386-1433 | |-- SESSION:3345-1433 | |-- SESSION:4195-1433 | `-- SESSION:4198-1433 |-- 81.89.13.95 | |-- SESSION:4605-26 | `-- SESSION:4738-26 Thanks in advance. Kind regards, Costas Magos Internet Systematics Lab NCSR "Demokritos" Athens, Greece ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- session output Costas Magos (Nov 03)
- Re: session output Matt Kettler (Nov 03)
- Re: session output Costas Magos (Nov 04)
- Re: session output Erek Adams (Nov 04)
- Re: session output Costas Magos (Nov 05)
- Re: session output Costas Magos (Nov 04)
- Re: session output Matt Kettler (Nov 03)
- <Possible follow-ups>
- Re: session output Costas Magos (Nov 04)