Re: session output

[Erek Adams <erek () snort org>]

On Mon, 3 Nov 2003, Costas Magos wrote:

[...snip...]

> When not using the -h parameter, it seems that the IP addresses used as
> directories, were from machines that *initiated* the sessions. This was
> verified against the actual binary, using ethereal. This was true for
> all sessions except for two IRC sessions, where the session file
> indicated that a non-local IP from port 6667 initiated a connection
> toward a local IP from port 6667 (that is, a server connecting to a
> client...) and ethereal revealed exactly the opposite, the local IP
> connecting to a remote IRC server. It is for this contradiction, I
> opened this thread.

If you don't use "-h <foo>", Snort should build the directory based on the
'higher' port number "first", which usually should be the remote system.
In the case where the ports are equal, Snort picks the 'higher' IP, IIRC.

To be honest, you'll be _much_ better off logging to binary (pcap) and
then if you need the packet broken down, rerun Snort over the pcap file
and use the -h <foo> switch.  Quick, simple, fast.  And you've got your
pcap to go back and reread the data from with a:

        snort -dvr <pcap_file> "host <foo>"

Or whatever BPF filter you want to drop in.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users