[Snort-users] Snort packet files

James Hoagland hoagland at ...47...
Fri Mar 16 15:56:26 EST 2001


At 2:58 PM -0600 3/13/01, Dale J. Chatham wrote:
>Snort normally puts its saved packets in files named
><Protocol>:<From-port>-<To-port>
>
>However, at least for IDS362, the ports are swapped.
>
>Can one predict this?
>
>I've written a web interface which gathers the pertinent information with
>hyperlinks to, among other things, the packet file.
>
>Does anyone have a clue as to why it's this way or how to properly predict
>the packet file name?

The higher numbered port is always listed first and the lowered 
numbered one is second.  That is, for alerts that have both ports. 
The name of the directory is more complicated and depends on your 
homenet.

Regards,

  Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-users mailing list