[Snort-users] packet details not being saved

Joe McAlerney joey at ...155...
Fri Sep 22 12:21:49 EDT 2000


-d is supposed to do that.  Note that it won't put the packet payload in
the alert file though.  Check in your logging directory for the src IP
address directories.  In there you should find what you are looking for.

-Joe M.

Bob Van Cleef wrote:
> 
> As part of a test I added the following two rules to the snort conf file.
> 
> alert TCP any any -> 192.86.6.101/32 any (msg: "NS5 Inbound Traffic"; )
> alert TCP 192.86.6.101/32 any -> any any (msg: "NS5 Outbound Traffic"; )
> 
> Which were triggered as desired....
> 
> [**] NS5 Inbound Traffic [**]
> 09/20-14:48:07.045308 209.125.148.135:20 -> 192.86.6.101:2087
> TCP TTL:52 TOS:0x8 ID:28908  DF
> ******A* Seq: 0xE26833C5   Ack: 0x3BC30E   Win: 0x7D78
> 
> [**] NS5 Outbound Traffic [**]
> 09/20-14:48:07.048422 192.86.6.101:2087 -> 209.125.148.135:20
> TCP TTL:31 TOS:0x0 ID:3595  DF
> ******A* Seq: 0x3BC30E   Ack: 0xE2683979   Win: 0x2238
> 
> However, no details were captured. I've seen other alerts where the
> packet details were not captured in the data directory.  What causes that?
> 
> My snort command line is:
> 
> usr/local/bin/snort -d -c /usr/local/lib/snort/vision.conf -i eth0
> 
> Bob
> ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
> Bob Van Cleef, Member of Technical Staff         (408) 734-8100
> MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
> 475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list