[Snort-users] packet details not being saved
joey at ...155...
Fri Sep 22 12:21:49 EDT 2000
-d is supposed to do that. Note that it won't put the packet payload in
the alert file though. Check in your logging directory for the src IP
address directories. In there you should find what you are looking for.
Bob Van Cleef wrote:
> As part of a test I added the following two rules to the snort conf file.
> alert TCP any any -> 18.104.22.168/32 any (msg: "NS5 Inbound Traffic"; )
> alert TCP 22.214.171.124/32 any -> any any (msg: "NS5 Outbound Traffic"; )
> Which were triggered as desired....
> [**] NS5 Inbound Traffic [**]
> 09/20-14:48:07.045308 126.96.36.199:20 -> 188.8.131.52:2087
> TCP TTL:52 TOS:0x8 ID:28908 DF
> ******A* Seq: 0xE26833C5 Ack: 0x3BC30E Win: 0x7D78
> [**] NS5 Outbound Traffic [**]
> 09/20-14:48:07.048422 184.108.40.206:2087 -> 220.127.116.11:20
> TCP TTL:31 TOS:0x0 ID:3595 DF
> ******A* Seq: 0x3BC30E Ack: 0xE2683979 Win: 0x2238
> However, no details were captured. I've seen other alerts where the
> packet details were not captured in the data directory. What causes that?
> My snort command line is:
> usr/local/bin/snort -d -c /usr/local/lib/snort/vision.conf -i eth0
> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><>
> Bob Van Cleef, Member of Technical Staff (408) 734-8100
> MicroUnity Systems Engineering, Inc. FAX (408) 734-8136
> 475 Potrero Ave., Sunnyvale, CA 94086 vancleef at ...211...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users