[Snort-users] packet decodes on full alerts

Lance Spitzner lance at ...2024...
Mon Nov 19 13:37:02 EST 2001


Question on 1.8

I have Snort sending full alerts to a log file.

   output alert_full: /var/adm/snort_alerts

Is there anyway I can get the alerts to include the actual
packet payload of the packet that initiated the alert?  I
have Snort running with the '-d' option, thought that
would do the trick but it is not.  Below are the alerts
I am getting, I would like to get the packet payload also.

Thanks!



[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:49.132647 216.156.130.2:3307 -> 172.16.1.108:80
TCP TTL:115 TOS:0x0 ID:20849 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x83F3751B  Ack: 0xB46F9  Win: 0x2238  TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:49.226834 216.156.130.2:3307 -> 172.16.1.108:80
TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:120
***AP*** Seq: 0x83F3751B  Ack: 0x83F3751B  Win: 0x21E8  TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:59.214308 216.156.130.2:4162 -> 172.16.1.108:80
TCP TTL:115 TOS:0x0 ID:43939 IpLen:20 DgmLen:175 DF
***AP*** Seq: 0x83F382C5  Ack: 0xB46FB  Win: 0x2238  TcpLen: 20

-- 
Lance Spitzner
http://project.honeynet.org





More information about the Snort-users mailing list