[Snort-users] Logging packet contents in alerts.

Matthew Collins Matthew.Collins at ...1681...
Wed Jun 6 12:10:16 EDT 2001


I'm currently using snort 1.7 as the IDS for our company. It is set up to log all packets (and application layer) in tcpdump format. Alerts are recorded to a text file, and also to syslog. I've got a script that checks to see if the alert file has changed, and mails those changes to me. Cron runs this script every 15 minutes.
This is running very well, alerts pop up on my email now and again (mostly port scans & NetBIOS name service attempts). However, sometimes I get an alert like this. (Our IP address munged)

[**] WEB-IIS global-asa access [**]
06/06-15:11:33.932815 207.46.130.57:80 -> aa.bb.cc.dd:1091
TCP TTL:53 TOS:0x0 ID:287 IpLen:20 DgmLen:1408 DF
***A**** Seq: 0x3BB0A9DE  Ack: 0xD30A3988  Win: 0x3B14  TcpLen: 20

Now, this is either,

A. False alarm, move along, nothing to see here.
B. Someone in our company deciding to do a bit of web defacement in their lunch hour.

Now to check this, I've got to ssh onto the snort box, restart snort, scp the tcpdump log file to my machine, run snort with various options to extract the packet contents and then examine the packet.
Depending how late in the day this is, this can take some time. (For various reasons, the extract cannot be done on the snort box itself)

If the packet contents were in the alert, I'd be able to tell straight away if this was a false alarm. Is there any way to get snort to do this?










-- 



****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************




More information about the Snort-users mailing list