[Snort-devel] Reporting packet number

Russ Combs (rucombs) rucombs at ...3461...
Thu May 22 16:11:32 EDT 2014

Posting this to snort-users as well since this is not a bug.  Please drop snort-devel from any reply.

Additional comments below.

From: Beenish Raza [beenish.raza at ...445...]
Sent: Thursday, May 22, 2014 3:55 PM
To: Bhagya Bantwal (bbantwal); snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Reporting packet number

When I use _A , I get something like this:

08/15-17:27:48.482649  [**] [1:500020:0] Rule no.20 [**] [Priority: 0] {TCP} ->

Can you please tell me where is the packet number in this?

* You need to use -A console:test as Bhagya mentioned.  The packet number will be in the first column of the output.

From: bbantwal at ...3461...
To: beenish.raza at ...445...; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Reporting packet number
Date: Thu, 22 May 2014 00:21:18 +0000

You can use the option –A console:test (which outputs the packet number along with the alert to console) or use –A alert to log to a file.

From: Beenish Raza <beenish.raza at ...445...<mailto:beenish.raza at ...445...>>
Date: Wednesday, May 21, 2014 6:09 PM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] Reporting packet number

I am matching a set of regular expressions against a large pcap file. I want snort to report the original packet number (like 10th packet of the pcap file reported match) as well when it gives alerts. What command I need to use to do this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140522/db31f2e0/attachment.html>

More information about the Snort-devel mailing list