[Snort-devel] Snort-devel Digest, Vol 13, Issue 7

İzzettin Erdem root.mch at gmail.com
Sun Jun 10 18:08:17 EDT 2018


I am working on Snort 2.9.11, is there any way to learn which alert belongs
to which packet ?

2018-06-10 19:00 GMT+03:00 <snort-devel-request at lists.snort.org>:

> Send Snort-devel mailing list submissions to
>         snort-devel at lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request at lists.snort.org
>
> You can reach the person managing the list at
>         snort-devel-owner at lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: SNORT Alert Messages (Russ)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 9 Jun 2018 22:36:25 -0400
> From: Russ <rucombs at cisco.com>
> To: snort-devel at lists.snort.org
> Subject: Re: [Snort-devel] SNORT Alert Messages
> Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 at cisco.com>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> For Snort 3:? snort -A csv will get you output like this by default:
>
> 05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620,
> 10.9.8.7:80, 1:1:0, allow
>
> The second field is the packet number.
>
> On 6/9/18 9:05 PM, Y M via Snort-devel wrote:
> > Besides reviewing the pcap, you can also do the following:
> >
> > In Snort 2 > -A console:test
> > In Snort 3 > -A log_hext , this will get you closer but not what you
> > are looking for. You can play with?--lua "log_hext = { raw = true }",
> > but I didn't get the output you are looking for.
> >
> > YM
> >
> > ------------------------------------------------------------------------
> > *From:* Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> > Y M via Snort-devel <snort-devel at lists.snort.org>
> > *Sent:* Sunday, June 10, 2018 3:21 AM
> > *To:* snort-devel at lists.snort.org
> > *Subject:* Re: [Snort-devel] SNORT Alert Messages
> > Comments inline.
> >
> > ------------------------------------------------------------------------
> > > Hello again everyone,
> >
> > >I want to learn which alert belongs to which packet when SNORT prints
> > alert messages. Is there any unique parameter that identifies packets?
> >
> > Such questions are better suited to the snort-user list. You will
> > probably?catch wider audience there.
> >
> > >For example, when I give a pcap file which includes more than 50.000
> > packets inside to SNORT, I want to see alert messages like that:
> >
> > >[some alert] - Packet ID: 125
> > >[some alert] - Packet ID: 200
> > >[some alert] - Packet ID: 1456
> > >.
> > >.
> > >.
> > >[some alert] - Packet ID: 23500
> >
> > Which Snort version are we talking about here?
> >
> > >If there not exist unique parameter for packets, how can I learn
> > which alert belongs to which packet from alert messages ?
> >
> > By reviewing the packets via tcpdump/wireshark/tshark and correlating
> > that to the detected rules? You can also chop your pcap to smaller
> > chunks, which should make it easier.
> >
> > >Thanks.
> >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.snort.org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180609/9d6dba1f/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
> ------------------------------
>
> End of Snort-devel Digest, Vol 13, Issue 7
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180611/9ac6e3e5/attachment.html>


More information about the Snort-devel mailing list