[Snort-devel] SNORT Alert Messages

Russ rucombs at cisco.com
Sat Jun 9 22:36:25 EDT 2018


For Snort 3:  snort -A csv will get you output like this by default:

05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620, 
10.9.8.7:80, 1:1:0, allow

The second field is the packet number.

On 6/9/18 9:05 PM, Y M via Snort-devel wrote:
> Besides reviewing the pcap, you can also do the following:
>
> In Snort 2 > -A console:test
> In Snort 3 > -A log_hext , this will get you closer but not what you 
> are looking for. You can play with --lua "log_hext = { raw = true }", 
> but I didn't get the output you are looking for.
>
> YM
>
> ------------------------------------------------------------------------
> *From:* Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of 
> Y M via Snort-devel <snort-devel at lists.snort.org>
> *Sent:* Sunday, June 10, 2018 3:21 AM
> *To:* snort-devel at lists.snort.org
> *Subject:* Re: [Snort-devel] SNORT Alert Messages
> Comments inline.
>
> ------------------------------------------------------------------------
> > Hello again everyone,
>
> >I want to learn which alert belongs to which packet when SNORT prints 
> alert messages. Is there any unique parameter that identifies packets?
>
> Such questions are better suited to the snort-user list. You will 
> probably catch wider audience there.
>
> >For example, when I give a pcap file which includes more than 50.000 
> packets inside to SNORT, I want to see alert messages like that:
>
> >[some alert] - Packet ID: 125
> >[some alert] - Packet ID: 200
> >[some alert] - Packet ID: 1456
> >.
> >.
> >.
> >[some alert] - Packet ID: 23500
>
> Which Snort version are we talking about here?
>
> >If there not exist unique parameter for packets, how can I learn 
> which alert belongs to which packet from alert messages ?
>
> By reviewing the packets via tcpdump/wireshark/tshark and correlating 
> that to the detected rules? You can also chop your pcap to smaller 
> chunks, which should make it easier.
>
> >Thanks.
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180609/9d6dba1f/attachment.html>


More information about the Snort-devel mailing list