[Snort-users] logging question

Anthony Buser ABuser at ...2078...
Fri May 25 11:54:58 EDT 2001

This is what I do...

Start snort like this:
snort -d -h -l /var/log/snort -c /etc/snort.conf

Add a line to your snort.conf like this:
output log_tcpdump: snort.tcpdump

Then it will log the packet dumps in files named like
0525 at ...2117... in your /var/log/snort dir.

You can then use snort to convert these files into more human readable
format by doing this:
snort -r 0525 at ...2117... -dve > tcpdump.txt

Tony Buser
Unconundrum, Inc. http://www.unconundrum.com

-----Original Message-----
From: Fred Edwards [mailto:Fred.Edwards at ...2111...]
Sent: Friday, May 25, 2001 8:49 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] logging question

I have a question about the alert log and its format.
my alert log generally looks like so for each alert:

[**]  ICMP Destination Unreachable [**]
05/23-13:30:15.604004 x.x.x.x -> x.x.x.x
ICMP TTL:254 TOS:0x0 ID:543 IpLen:20 DgmLen:56
x.x.x.x:138 -> x.x.x.x:138
UDP TTL:127 TOS:0x0 ID:53795 IpLen:20 DgmLen:253
Len: 233

is there anyway to have the alert also dump the hex packet/datagram as
like I get in standard output when I issue the snort command
"snort -vv -i eth0 -X", for example:

05/24-12:27:08.243426 x.x.x.x:1084 -> x.x.x.x:22
TCP TTL:128 TOS:0x0 ID:21607 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0xC066F581  Ack: 0xD7A63BB4  Win: 0x48  TcpLen: 20
0x0000: 00 E0 29 5A C5 42 00 01 03 02 0D 64 08 00 45 00
0x0010: 00 3C 54 67 40 00 80 06 FB B6 8C B8 48 90 8C B8
.<Tg at ...2109...
0x0020: 48 9D 04 3C 00 16 C0 66 F5 81 D7 A6 3B B4 50 18
0x0030: 00 48 8E 18 00 00 00 00 00 0A 1D 30 9F A2 D0 CE
0x0040: A9 9D 6A 8C 84 DA 89 3B F9 38

or can I get that  info dumped into another file... but some way
of viewing the contents of the packet AFTER the fact...

Fred Edwards
Library Systems Technician
Patrick Power Library
Saint Mary's University
Halifax, Nova Scotia    B3H 3C3

Phone:    (902) 420-5096
Fax:        (902) 420-5561
E-mail:    Fred.Edwards at ...2110...
Website: http://www.stmarys.ca/administration/library/

Quis custodiet ipsos custodes?

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list