Snort mailing list archives

Re: Snort Alert Log Timestamps

From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Sun, 5 Feb 2017 11:05:03 +0530

Could you do a file on your *.pcap file and share the output?  If the file
is very small, what do you get when you do this tcpdump -r yourfile.pcap
-nn -X ?

On Sat, Feb 4, 2017 at 3:56 AM, Jones, Christopher (Chris) (Maj) <
cajones1 () nps edu> wrote:

Team,



Snort is working for me and producing some alerts on the pcap files I want
to analyze.  The problem I’m having now is matching the alert timestamp to
a packet in WireShark.  For instance, the following alert gives a timestamp
of 08/16-03:22:49.286138 but that packet does not exist.  The closest one
is 03:22:48.64 and 03:22:50.65.

[**] [139:1:1] (spp_sdf) SDF Combination Alert [**]

[Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2]

08/16-03:22:49.286138 216.137.xxx.xxx -> 207.140.xxx.xxx

PROTO:254 TTL:63 TOS:0x0 ID:33005 IpLen:20 DgmLen:20 DF



I’d really like to find the offending packet to better understand what
caused the alert.  Can someone help me understand how to best find the
packet in question given a snort alert?



Thanks again.



Chris

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 
Regards,
Balasubramaniam Natarajan
http://bullet-bala.blogspot.in/ <http://blog.etutorshop.com>
https://www.youracclaim.com/user/balasubramaniam-natarajan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Alert Log Timestamps Jones, Christopher (Chris) (Maj) (Feb 03)
- Re: Snort Alert Log Timestamps Marcin Dulak (Feb 03)
- Re: Snort Alert Log Timestamps Balasubramaniam Natarajan (Feb 04)