[Snort-users] packet details not being saved
Bob Van Cleef
vancleef at ...211...
Mon Sep 25 12:56:12 EDT 2000
Sigh... My Bad! I was looking for the wrong IP number. It was logged
under the number used in the alert string, not the number of the remote
host... In other words, 188.8.131.52, not 184.108.40.206.
On Fri, 22 Sep 2000, Joe McAlerney wrote:
> -d is supposed to do that. Note that it won't put the packet payload in
> the alert file though. Check in your logging directory for the src IP
> address directories. In there you should find what you are looking for.
> -Joe M.
> Bob Van Cleef wrote:
> > As part of a test I added the following two rules to the snort conf file.
> > alert TCP any any -> 220.127.116.11/32 any (msg: "NS5 Inbound Traffic"; )
> > alert TCP 18.104.22.168/32 any -> any any (msg: "NS5 Outbound Traffic"; )
> > Which were triggered as desired....
> > [**] NS5 Inbound Traffic [**]
> > 09/20-14:48:07.045308 22.214.171.124:20 -> 126.96.36.199:2087
> > TCP TTL:52 TOS:0x8 ID:28908 DF
> > ******A* Seq: 0xE26833C5 Ack: 0x3BC30E Win: 0x7D78
> > [**] NS5 Outbound Traffic [**]
> > 09/20-14:48:07.048422 188.8.131.52:2087 -> 184.108.40.206:20
> > TCP TTL:31 TOS:0x0 ID:3595 DF
> > ******A* Seq: 0x3BC30E Ack: 0xE2683979 Win: 0x2238
> > However, no details were captured. I've seen other alerts where the
> > packet details were not captured in the data directory. What causes that?
> > My snort command line is:
> > usr/local/bin/snort -d -c /usr/local/lib/snort/vision.conf -i eth0
> > Bob
> > ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><>
> > Bob Van Cleef, Member of Technical Staff (408) 734-8100
> > MicroUnity Systems Engineering, Inc. FAX (408) 734-8136
> > 475 Potrero Ave., Sunnyvale, CA 94086 vancleef at ...211...
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><>
Bob Van Cleef, Member of Technical Staff (408) 734-8100
MicroUnity Systems Engineering, Inc. FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086 vancleef at ...211...
More information about the Snort-users