[Snort-devel] SNORT Alert Messages

Y M snort at outlook.com
Sat Jun 9 20:21:06 EDT 2018


Comments inline.

________________________________

> Hello again everyone,

>I want to learn which alert belongs to which packet when SNORT prints alert messages. Is there any unique parameter that identifies packets?

Such questions are better suited to the snort-user list. You will probably catch wider audience there.

>For example, when I give a pcap file which includes more than 50.000 packets inside to SNORT, I want to see alert messages like that:

>[some alert] - Packet ID: 125
>[some alert] - Packet ID: 200
>[some alert] - Packet ID: 1456
>.
>.
>.
>[some alert] - Packet ID: 23500

Which Snort version are we talking about here?

>If there not exist unique parameter for packets, how can I learn which alert belongs to which packet from alert messages ?

By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.

>Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180610/e05763dc/attachment.html>


More information about the Snort-devel mailing list