[Snort-users] How to review actual packets?

John Sage jsage at ...2022...
Mon Jun 11 13:51:16 EDT 2001


I'm logging in -b binary mode, and because of the small volume of 
traffic here, I log everything.

Then, when I want to see what's going on, I have an alias in my .bashrc 
that says:

alias snortview='snort -dv -r '

So when I want to look at a binary log, I say "snortview 
snort0608 at ...2226... | more" and off I go...

I can also do stuff like "snortview snort0608 at ...2226... 'tcp[3] = 53 ' 
for example, and it shows me tcp stuff coming into port 53... That kind 
of thing gets into learning the syntax in man(1) tcpdump.

I do a full scan on logs using another alias:

alias snortcheck='snort -dv -l . -c /usr/local/snort-1.7/snortcheck.conf 
-r '

And then I say "snortcheck snort0608 at ...2226..." and it checks the log 
against the rules in snortcheck.conf

...one way to do it, anyway.

- John

Sheahan, Paul (PCLN-NW) wrote:

> Hello,
> I'm new to Snort and just installed my first server on Red Hat Linux 7.0. I
> am trying to identify why certain machines are setting off alarms. I need to
> view the actual packets that were sent by the machine so I can see what URL
> they went to etc. How can I view this info in Snort? I've already looked at
> our web logs and they don't contain the info I need. I need actual sniffer
> traces.
> Any help would be appreciated!
> Thanks,
> Paul
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

More information about the Snort-users mailing list