[Snort-users] Logging packet contents in alerts.

Matthew Collins Matthew.Collins at ...1681...
Thu Jun 7 03:53:54 EDT 2001


That's what I do at the moment. That's what I'm trying to avoid.

At the moment, snort logs to binary files, I use the -b option. To get the packet contents I ssh to the snort box, send snort a HUP so it closes the file & opens a new one. I then scp this to my machine, run snort on my machine against the binary file to extract the packet contents and then I examine the packet.
This takes ~ 15 minutes to do, for every false alarm. If it is towards the end of the day, the binary file can be > 400MB. If I could see the packet contents in the alert, It would take me about 10 seconds to look at the packet and see if it's a false alarm or not.

That's what I'm asking, is there any way to get snort to log packet contents in the alert?

>>> Colin Wu <wucolin at ...2181...> 06/06/01 17:35:14 >>>
Why not build tcpdump on your non-snort box and use 'tcpdump -X -r snort.log.file' to extract the contents.  I don't see why you need to restart snort to get the data dumped since you're logging application data to tcpdump format file anyway.  Am I missing something?  If you just want to checkpoint the snort logs you can send it
a HUP signal.  If you started snort with a -b flag, and using the default log file name snort will create a new binary log file with a different timestamp.



****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************




More information about the Snort-users mailing list