[Snort-devel] Snort-devel Digest, Vol 13, Issue 9

İzzettin Erdem root.mch at gmail.com
Mon Jun 11 03:56:12 EDT 2018


Hello Albert,

Yes, I tried "sudo snort -A console:test -c /etc/snort/snort.conf" and the
output of the command was like this:

.
.
.
23  1 1333 0
23  1 251   0
23  1 123   0
24  1 111   0
24  1 122   0
24  1 1231 0
24  1 1052 0
.
.

I don't know the meanings of the columns, can you help me ?

2018-06-11 5:04 GMT+03:00 <snort-devel-request at lists.snort.org>:

> Send Snort-devel mailing list submissions to
>         snort-devel at lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request at lists.snort.org
>
> You can reach the person managing the list at
>         snort-devel-owner at lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: Snort-devel Digest, Vol 13, Issue 7 (?zzettin Erdem)
>    2. Re: Snort-devel Digest, Vol 13, Issue 7 (Al Lewis (allewi))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 Jun 2018 01:08:17 +0300
> From: ?zzettin Erdem <root.mch at gmail.com>
> To: snort-devel at lists.snort.org
> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7
> Message-ID:
>         <CAN_SLJWoEO2JL0yrkRDmccRgU2x1ZopAVCMW8ByGoHQdhvT1Pg at mail.gmail.
> com>
> Content-Type: text/plain; charset="utf-8"
>
> I am working on Snort 2.9.11, is there any way to learn which alert belongs
> to which packet ?
>
> 2018-06-10 19:00 GMT+03:00 <snort-devel-request at lists.snort.org>:
>
> > Send Snort-devel mailing list submissions to
> >         snort-devel at lists.snort.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://lists.snort.org/mailman/listinfo/snort-devel
> > or, via email, send a message with subject or body 'help' to
> >         snort-devel-request at lists.snort.org
> >
> > You can reach the person managing the list at
> >         snort-devel-owner at lists.snort.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Snort-devel digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: SNORT Alert Messages (Russ)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sat, 9 Jun 2018 22:36:25 -0400
> > From: Russ <rucombs at cisco.com>
> > To: snort-devel at lists.snort.org
> > Subject: Re: [Snort-devel] SNORT Alert Messages
> > Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 at cisco.com>
> > Content-Type: text/plain; charset="windows-1252"; Format="flowed"
> >
> > For Snort 3:? snort -A csv will get you output like this by default:
> >
> > 05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620,
> > 10.9.8.7:80, 1:1:0, allow
> >
> > The second field is the packet number.
> >
> > On 6/9/18 9:05 PM, Y M via Snort-devel wrote:
> > > Besides reviewing the pcap, you can also do the following:
> > >
> > > In Snort 2 > -A console:test
> > > In Snort 3 > -A log_hext , this will get you closer but not what you
> > > are looking for. You can play with?--lua "log_hext = { raw = true }",
> > > but I didn't get the output you are looking for.
> > >
> > > YM
> > >
> > > ------------------------------------------------------------
> ------------
> > > *From:* Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> > > Y M via Snort-devel <snort-devel at lists.snort.org>
> > > *Sent:* Sunday, June 10, 2018 3:21 AM
> > > *To:* snort-devel at lists.snort.org
> > > *Subject:* Re: [Snort-devel] SNORT Alert Messages
> > > Comments inline.
> > >
> > > ------------------------------------------------------------
> ------------
> > > > Hello again everyone,
> > >
> > > >I want to learn which alert belongs to which packet when SNORT prints
> > > alert messages. Is there any unique parameter that identifies packets?
> > >
> > > Such questions are better suited to the snort-user list. You will
> > > probably?catch wider audience there.
> > >
> > > >For example, when I give a pcap file which includes more than 50.000
> > > packets inside to SNORT, I want to see alert messages like that:
> > >
> > > >[some alert] - Packet ID: 125
> > > >[some alert] - Packet ID: 200
> > > >[some alert] - Packet ID: 1456
> > > >.
> > > >.
> > > >.
> > > >[some alert] - Packet ID: 23500
> > >
> > > Which Snort version are we talking about here?
> > >
> > > >If there not exist unique parameter for packets, how can I learn
> > > which alert belongs to which packet from alert messages ?
> > >
> > > By reviewing the packets via tcpdump/wireshark/tshark and correlating
> > > that to the detected rules? You can also chop your pcap to smaller
> > > chunks, which should make it easier.
> > >
> > > >Thanks.
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.snort.org
> > > https://lists.snort.org/mailman/listinfo/snort-devel
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <https://lists.snort.org/pipermail/snort-devel/
> > attachments/20180609/9d6dba1f/attachment-0001.html>
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.snort.org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> >
> > ------------------------------
> >
> > End of Snort-devel Digest, Vol 13, Issue 7
> > ******************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180611/9ac6e3e5/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 11 Jun 2018 02:04:18 +0000
> From: "Al Lewis (allewi)" <allewi at cisco.com>
> To: ?zzettin Erdem <root.mch at gmail.com>, "snort-devel at lists.snort.org"
>         <snort-devel at lists.snort.org>
> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7
> Message-ID: <5091064E-B3EF-47C9-93DB-593951D83EBB at cisco.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> Have you tried using -Aconsole:test or -Acsv ?
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> Cisco Systems Inc.
> Email: allewi at cisco.com<mailto:allewi at cisco.com>
>
> From: Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> ?zzettin Erdem via Snort-devel <snort-devel at lists.snort.org>
> Reply-To: ?zzettin Erdem <root.mch at gmail.com>
> Date: Sunday, June 10, 2018 at 6:10 PM
> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7
>
> I am working on Snort 2.9.11, is there any way to learn which alert
> belongs to which packet ?
>
> 2018-06-10 19:00 GMT+03:00 <snort-devel-request at lists.snort.org<mailto:
> snort-devel-request at lists.snort.org>>:
> Send Snort-devel mailing list submissions to
>         snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request at lists.snort.org<mailto:snort-devel-
> request at lists.snort.org>
>
> You can reach the person managing the list at
>         snort-devel-owner at lists.snort.org<mailto:snort-devel-owner@
> lists.snort.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: SNORT Alert Messages (Russ)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 9 Jun 2018 22:36:25 -0400
> From: Russ <rucombs at cisco.com<mailto:rucombs at cisco.com>>
> To: snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>
> Subject: Re: [Snort-devel] SNORT Alert Messages
> Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 at cisco.com<mailto:
> 1631bb59-8caf-a0ce-55ab-0ea5b17448c8 at cisco.com>>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> For Snort 3:? snort -A csv will get you output like this by default:
>
> 05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620<http://10.1.2.
> 3:48620>,
> 10.9.8.7:80<http://10.9.8.7:80>, 1:1:0, allow
>
> The second field is the packet number.
>
> On 6/9/18 9:05 PM, Y M via Snort-devel wrote:
> > Besides reviewing the pcap, you can also do the following:
> >
> > In Snort 2 > -A console:test
> > In Snort 3 > -A log_hext , this will get you closer but not what you
> > are looking for. You can play with?--lua "log_hext = { raw = true }",
> > but I didn't get the output you are looking for.
> >
> > YM
> >
> > ------------------------------------------------------------------------
> > *From:* Snort-devel <snort-devel-bounces at lists.snort.org<mailto:
> snort-devel-bounces at lists.snort.org>> on behalf of
> > Y M via Snort-devel <snort-devel at lists.snort.org<mailto:
> snort-devel at lists.snort.org>>
> > *Sent:* Sunday, June 10, 2018 3:21 AM
> > *To:* snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>
> > *Subject:* Re: [Snort-devel] SNORT Alert Messages
> > Comments inline.
> >
> > ------------------------------------------------------------------------
> > > Hello again everyone,
> >
> > >I want to learn which alert belongs to which packet when SNORT prints
> > alert messages. Is there any unique parameter that identifies packets?
> >
> > Such questions are better suited to the snort-user list. You will
> > probably?catch wider audience there.
> >
> > >For example, when I give a pcap file which includes more than 50.000
> > packets inside to SNORT, I want to see alert messages like that:
> >
> > >[some alert] - Packet ID: 125
> > >[some alert] - Packet ID: 200
> > >[some alert] - Packet ID: 1456
> > >.
> > >.
> > >.
> > >[some alert] - Packet ID: 23500
> >
> > Which Snort version are we talking about here?
> >
> > >If there not exist unique parameter for packets, how can I learn
> > which alert belongs to which packet from alert messages ?
> >
> > By reviewing the packets via tcpdump/wireshark/tshark and correlating
> > that to the detected rules? You can also chop your pcap to smaller
> > chunks, which should make it easier.
> >
> > >Thanks.
> >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.snort.org<mailto:Snort-devel at lists.snort.org>
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180609/9d6dba1f/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org<mailto:Snort-devel at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
> ------------------------------
>
> End of Snort-devel Digest, Vol 13, Issue 7
> ******************************************
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180611/1d3a0b26/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
> ------------------------------
>
> End of Snort-devel Digest, Vol 13, Issue 9
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180611/8dccbc30/attachment-0001.html>


More information about the Snort-devel mailing list