[Snort-users] Logging packet contents in alerts.

Colin Wu wucolin at ...2181...
Wed Jun 6 12:35:14 EDT 2001

Why not build tcpdump on your non-snort box and use 'tcpdump -X -r snort.log.file' to extract the contents.  I don't see why you need to restart snort to get the data dumped since you're logging application data to tcpdump format file anyway.  Am I missing something?  If you just want to checkpoint the snort logs you can send it
a HUP signal.  If you started snort with a -b flag, and using the default log file name snort will create a new binary log file with a different timestamp.

Matthew Collins wrote:

> I'm currently using snort 1.7 as the IDS for our company. It is set up to log all packets (and application layer) in tcpdump format. Alerts are recorded to a text file, and also to syslog. I've got a script that checks to see if the alert file has changed, and mails those changes to me. Cron runs this script every 15 minutes.
> This is running very well, alerts pop up on my email now and again (mostly port scans & NetBIOS name service attempts). However, sometimes I get an alert like this. (Our IP address munged)
> [**] WEB-IIS global-asa access [**]
> 06/06-15:11:33.932815 -> aa.bb.cc.dd:1091
> TCP TTL:53 TOS:0x0 ID:287 IpLen:20 DgmLen:1408 DF
> ***A**** Seq: 0x3BB0A9DE  Ack: 0xD30A3988  Win: 0x3B14  TcpLen: 20
> Now, this is either,
> A. False alarm, move along, nothing to see here.
> B. Someone in our company deciding to do a bit of web defacement in their lunch hour.
> Now to check this, I've got to ssh onto the snort box, restart snort, scp the tcpdump log file to my machine, run snort with various options to extract the packet contents and then examine the packet.
> Depending how late in the day this is, this can take some time. (For various reasons, the extract cannot be done on the snort box itself)
> If the packet contents were in the alert, I'd be able to tell straight away if this was a false alarm. Is there any way to get snort to do this?
> --
> ****************************************************************************************
> This message and any attachments are confidential to the ordinary user of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or contain
> viruses. The sender therefore does not accept liability for any errors or
> omissions in the context of this message which arise as a result of Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site: http://www.northernregistrars.co.uk
> ****************************************************************************************
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050

More information about the Snort-users mailing list