Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Alert Log Timestamps

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sat, 4 Feb 2017 00:18:47 +0100
I recently reported a similar problem: http://seclists.org/snort/2017/q1/178
There is also an old barnyard issue
https://github.com/firnsy/barnyard2/issues/121
Do your alerts are listed in order in the alert file?
I'm quite sure that I saw wrong timestamps also in unified2 log - if your
alert timestamps are not listed in order - try to log in unified2 and see
if you also obtain wrong timestamps.
If all your alerts are listed in order, then it's probably a different
issue.

Marcin

On Fri, Feb 3, 2017 at 11:26 PM, Jones, Christopher (Chris) (Maj) <
cajones1 () nps edu> wrote:


Team,



Snort is working for me and producing some alerts on the pcap files I want
to analyze.  The problem I’m having now is matching the alert timestamp to
a packet in WireShark.  For instance, the following alert gives a timestamp
of 08/16-03:22:49.286138 but that packet does not exist.  The closest one
is 03:22:48.64 and 03:22:50.65.

[**] [139:1:1] (spp_sdf) SDF Combination Alert [**]

[Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2]

08/16-03:22:49.286138 216.137.xxx.xxx -> 207.140.xxx.xxx

PROTO:254 TTL:63 TOS:0x0 ID:33005 IpLen:20 DgmLen:20 DF



I’d really like to find the offending packet to better understand what
caused the alert.  Can someone help me understand how to best find the
packet in question given a snort alert?



Thanks again.



Chris

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: