[Snort-devel] SNORT Alert Messages

Y M snort at outlook.com
Sat Jun 9 21:05:38 EDT 2018


Besides reviewing the pcap, you can also do the following:

In Snort 2 > -A console:test
In Snort 3 > -A log_hext , this will get you closer but not what you are looking for. You can play with --lua "log_hext = { raw = true }", but I didn't get the output you are looking for.

YM

________________________________
From: Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of Y M via Snort-devel <snort-devel at lists.snort.org>
Sent: Sunday, June 10, 2018 3:21 AM
To: snort-devel at lists.snort.org
Subject: Re: [Snort-devel] SNORT Alert Messages

Comments inline.

________________________________

> Hello again everyone,

>I want to learn which alert belongs to which packet when SNORT prints alert messages. Is there any unique parameter that identifies packets?

Such questions are better suited to the snort-user list. You will probably catch wider audience there.

>For example, when I give a pcap file which includes more than 50.000 packets inside to SNORT, I want to see alert messages like that:

>[some alert] - Packet ID: 125
>[some alert] - Packet ID: 200
>[some alert] - Packet ID: 1456
>.
>.
>.
>[some alert] - Packet ID: 23500

Which Snort version are we talking about here?

>If there not exist unique parameter for packets, how can I learn which alert belongs to which packet from alert messages ?

By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.

>Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180610/99eafab9/attachment-0001.html>


More information about the Snort-devel mailing list