Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Showing dump of only matched paquets.

From: Gustavo Guillermo Perez <gustavo () compunauta com>
Date: Tue, 22 Mar 2011 23:59:18 -0600
El Martes 22 Marzo 2011, Russ Combs escribió:

For IDS mode, -A cmg will dump the alerting packets in hex.

Thanks a lot, but starting that way I've got a quiet console and no logs and 
no alerts. I've read the manual and was so hard to figure out how to write a 
rule. just because I've asked the list, sorry is this looks like a noob 
question.!

mbu5 gus # snort -A cmg -c rule.txt -i br0
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "pcap.txt"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       1       0       0       0
|      nc       1       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-
config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-
rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-
config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-
rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-
config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-
global]----------------------------------
+-----------------------[event-filter-
local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert-

log

Verifying Preprocessor Configurations!
Reload thread starting...
Reload thread started, thread 1026 (3666)
Initializing Network Interface br0
Decoding Ethernet on interface br0

[ Port and Service Based Pattern Matching Memory ]

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 GRE (Build 114) inline 
   ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 8.02 2010-03-19

Not Using PCAP_FRAMES
^C*** Caught Int-Signal
Snort exiting
Run time prior to being shutdown was 1195.286587 seconds
===============================================================================
Snort ran for 0 Days 0 Hours 19 Minutes 55 Seconds
Snort Analyzed 53706 Packets Per Minute
Snort Analyzed 853 Packets Per Second

Packet Wire Totals:
   Received:      1020422
   Analyzed:      1020420 (100.000%)
    Dropped:            0 (0.000%)
Outstanding:            2 (0.000%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
      ETH: 1020420    (100.000%)
  ETHdisc: 0          (0.000%)
 IPTables: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 6          (0.001%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 1019007    (99.862%)
  IP4disc: 732691     (71.803%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 283309     (27.764%)
      UDP: 2938       (0.288%)
     ICMP: 60         (0.006%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 1407       (0.138%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
IPv4/IPv4: 0          (0.000%)
IPv4/IPv6: 0          (0.000%)
IPv6/IPv4: 0          (0.000%)
IPv6/IPv6: 0          (0.000%)
      GRE: 0          (0.000%)
  GRE ETH: 0          (0.000%)
 GRE VLAN: 0          (0.000%)
 GRE IPv4: 0          (0.000%)
 GRE IPv6: 0          (0.000%)
GRE IP6 E: 0          (0.000%)
 GRE PPTP: 0          (0.000%)
  GRE ARP: 0          (0.000%)
  GRE IPX: 0          (0.000%)
 GRE LOOP: 0          (0.000%)
     MPLS: 0          (0.000%)
    OTHER: 9          (0.001%)
  DISCARD: 732691     (71.803%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 1020420   
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 310
PASSED: 0
===============================================================================
mbu5 gus # ls -lsh
total 25M
   0 drwxr-xr-x 4 gus root    66 Mar  7 14:54 cmlnet
7.2M -rw-r--r-- 1 gus root  7.2M Mar 18 17:38 dump.bin
 12M -rw-r--r-- 1 gus root   12M Mar 18 17:44 dump2.bin
8.0K -rw-r--r-- 1 gus root  5.7K Mar 18 19:25 dump3.bin
4.4M -rw-r--r-- 1 gus root  4.4M Mar 19 19:16 dump4.bin
4.0K -rw-r--r-- 1 gus root    79 Mar 18 20:52 garg.txt
4.0K -rwxr-xr-x 1 gus users  243 Jul 17  2007 gushash
   0 drwxr-xr-x 3 gus gus     20 Mar 19 23:41 include
4.0K -rw-r--r-- 1 gus gus    111 Mar  1 03:25 juaz.html
   0 drwxr-xr-x 2 gus gus      6 Mar 22 01:42 mainto
   0 drwxr-xr-x 4 gus root    58 Mar  1 06:59 myftp
4.0K -rw-r--r-- 1 gus root    86 Mar 19 21:33 rule.txt
mbu5 gus # date
Wed Mar 23 05:53:02 UTC 2011
mbu5 gus # ls -lsh /var/log/snort/
total 2.0M
   0 -rw-r--r-- 1 root root    0 Mar 19 22:12 alert
920K -rw-r--r-- 1 root root 917K Mar 19 22:17 snort.log
288K -rw------- 1 root root 288K Mar 19 21:20 snort.log.1300569357
 56K -rw------- 1 root root  55K Mar 19 21:33 snort.log.1300569930
 40K -rw------- 1 root root  37K Mar 19 21:36 snort.log.1300570404
4.0K -rw------- 1 root root 3.9K Mar 19 21:37 snort.log.1300570617
8.0K -rw------- 1 root root 4.2K Mar 19 21:39 snort.log.1300570736
200K -rw------- 1 root root 198K Mar 19 21:54 snort.log.1300570783
 16K -rw------- 1 root root  13K Mar 19 21:55 snort.log.1300571693
8.0K -rw------- 1 root root 6.3K Mar 19 21:57 snort.log.1300571763
144K -rw------- 1 root root 143K Mar 19 22:07 snort.log.1300571839
184K -rw------- 1 root root 184K Mar 19 22:15 snort.log.1300572746
104K -rw------- 1 root root 104K Mar 19 22:35 snort.log.1300573852
mbu5 gus #

-- 
Gustavo Guillermo Perez
http://www.compunauta.com
http://www.compunauta.net
http://anuncios.compunauta.net

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: