[Snort-users] packet details not being saved

Bob Van Cleef vancleef at ...211...
Mon Sep 25 12:56:12 EDT 2000


Sigh... My Bad! I was looking for the wrong IP number.  It was logged
under the number used in the alert string, not the number of the remote
host... In other words, 192.86.6.101, not 209.125.148.135.

Bob

On Fri, 22 Sep 2000, Joe McAlerney wrote:

> -d is supposed to do that.  Note that it won't put the packet payload in
> the alert file though.  Check in your logging directory for the src IP
> address directories.  In there you should find what you are looking for.
> 
> -Joe M.
> 
> Bob Van Cleef wrote:
> > 
> > As part of a test I added the following two rules to the snort conf file.
> > 
> > alert TCP any any -> 192.86.6.101/32 any (msg: "NS5 Inbound Traffic"; )
> > alert TCP 192.86.6.101/32 any -> any any (msg: "NS5 Outbound Traffic"; )
> > 
> > Which were triggered as desired....
> > 
> > [**] NS5 Inbound Traffic [**]
> > 09/20-14:48:07.045308 209.125.148.135:20 -> 192.86.6.101:2087
> > TCP TTL:52 TOS:0x8 ID:28908  DF
> > ******A* Seq: 0xE26833C5   Ack: 0x3BC30E   Win: 0x7D78
> > 
> > [**] NS5 Outbound Traffic [**]
> > 09/20-14:48:07.048422 192.86.6.101:2087 -> 209.125.148.135:20
> > TCP TTL:31 TOS:0x0 ID:3595  DF
> > ******A* Seq: 0x3BC30E   Ack: 0xE2683979   Win: 0x2238
> > 
> > However, no details were captured. I've seen other alerts where the
> > packet details were not captured in the data directory.  What causes that?
> > 
> > My snort command line is:
> > 
> > usr/local/bin/snort -d -c /usr/local/lib/snort/vision.conf -i eth0
> > 
> > Bob
> > ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
> > Bob Van Cleef, Member of Technical Staff         (408) 734-8100
> > MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
> > 475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 

-- 
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...





More information about the Snort-users mailing list