Snort mailing list archives
Re: Snort-devel Digest, Vol 13, Issue 7
From: İzzettin Erdem via Snort-devel <snort-devel () lists snort org>
Date: Mon, 11 Jun 2018 01:08:17 +0300
I am working on Snort 2.9.11, is there any way to learn which alert belongs to which packet ? 2018-06-10 19:00 GMT+03:00 <snort-devel-request () lists snort org>:
Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: SNORT Alert Messages (Russ) ---------------------------------------------------------------------- Message: 1 Date: Sat, 9 Jun 2018 22:36:25 -0400 From: Russ <rucombs () cisco com> To: snort-devel () lists snort org Subject: Re: [Snort-devel] SNORT Alert Messages Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 () cisco com> Content-Type: text/plain; charset="windows-1252"; Format="flowed" For Snort 3:? snort -A csv will get you output like this by default: 05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620, 10.9.8.7:80, 1:1:0, allow The second field is the packet number. On 6/9/18 9:05 PM, Y M via Snort-devel wrote:Besides reviewing the pcap, you can also do the following: In Snort 2 > -A console:test In Snort 3 > -A log_hext , this will get you closer but not what you are looking for. You can play with?--lua "log_hext = { raw = true }", but I didn't get the output you are looking for. YM ------------------------------------------------------------------------ *From:* Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort org> *Sent:* Sunday, June 10, 2018 3:21 AM *To:* snort-devel () lists snort org *Subject:* Re: [Snort-devel] SNORT Alert Messages Comments inline. ------------------------------------------------------------------------Hello again everyone,I want to learn which alert belongs to which packet when SNORT printsalert messages. Is there any unique parameter that identifies packets? Such questions are better suited to the snort-user list. You will probably?catch wider audience there.For example, when I give a pcap file which includes more than 50.000packets inside to SNORT, I want to see alert messages like that:[some alert] - Packet ID: 125 [some alert] - Packet ID: 200 [some alert] - Packet ID: 1456 . . . [some alert] - Packet ID: 23500Which Snort version are we talking about here?If there not exist unique parameter for packets, how can I learnwhich alert belongs to which packet from alert messages ? By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.Thanks._______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/ attachments/20180609/9d6dba1f/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 13, Issue 7 ******************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 13, Issue 7 İzzettin Erdem via Snort-devel (Jun 10)
- Re: Snort-devel Digest, Vol 13, Issue 7 Al Lewis (allewi) via Snort-devel (Jun 10)