[Snort-users] packet decodes on full alerts

Erek Adams erek at ...577...
Mon Nov 19 13:48:01 EST 2001

On Mon, 19 Nov 2001, Lance Spitzner wrote:

> Question on 1.8
> I have Snort sending full alerts to a log file.
>    output alert_full: /var/adm/snort_alerts
> Is there anyway I can get the alerts to include the actual
> packet payload of the packet that initiated the alert?  I
> have Snort running with the '-d' option, thought that
> would do the trick but it is not.  Below are the alerts
> I am getting, I would like to get the packet payload also.

You can't get it into the snort_alerts file.  The alerts file(s) are the
alerts and packet headers only.  If you want to get the full payload, log to
binary, and then post process the binary log file.  Use something like 'snort
-dvr <binary file> -l <logdir>' and it will break down all the packets in the
binary file to the decoded output in <logdir>/<IP Address>/ .  If you don't
want all alerts, be sure and use a BPF filter at the end to only get what you
want to see "host foo" or "port foo".

Hope that helps!

Erek Adams

More information about the Snort-users mailing list