[Snort-users] alert message containing info from the packet?

Andreas Hasenack andreas at ...814...
Thu May 10 11:08:09 EDT 2001

Would it be feasable for snort's alert messages to contain
some information from the packet that caused the alert?

One example, ICMP host unreachable packets.

The current rules only log this generic message and which machine
sent them, but not which host was unreachable. For that info, I have
to search the packet's payload.
Would it be feasable for this info to already be on the alert message?
Perhaps some other field, like CVE and others are today, so that
the type of the alert is still the same (to facilitate searches in
a mysql database, for example: how many "icmp host unreachable"
messages do I have?), but so that I can have this info 
without having to check the payload.

More information about the Snort-users mailing list