[Snort-users] How to review actual packets?
jsage at ...2022...
Mon Jun 11 13:51:16 EDT 2001
I'm logging in -b binary mode, and because of the small volume of
traffic here, I log everything.
Then, when I want to see what's going on, I have an alias in my .bashrc
alias snortview='snort -dv -r '
So when I want to look at a binary log, I say "snortview
snort0608 at ...2226... | more" and off I go...
I can also do stuff like "snortview snort0608 at ...2226... 'tcp = 53 '
for example, and it shows me tcp stuff coming into port 53... That kind
of thing gets into learning the syntax in man(1) tcpdump.
I do a full scan on logs using another alias:
alias snortcheck='snort -dv -l . -c /usr/local/snort-1.7/snortcheck.conf
And then I say "snortcheck snort0608 at ...2226..." and it checks the log
against the rules in snortcheck.conf
...one way to do it, anyway.
Sheahan, Paul (PCLN-NW) wrote:
> I'm new to Snort and just installed my first server on Red Hat Linux 7.0. I
> am trying to identify why certain machines are setting off alarms. I need to
> view the actual packets that were sent by the machine so I can see what URL
> they went to etc. How can I view this info in Snort? I've already looked at
> our web logs and they don't contain the info I need. I need actual sniffer
> Any help would be appreciated!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
More information about the Snort-users