[Snort-users] snort 1.8.3 not logging payload

Benjamin Collins bencollins at ...5072...
Sun Feb 24 09:32:02 EST 2002


I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine.  I am
trying to log all the data from TCP packets that match certain rules,
but it's not working.  I know the packets are matching the rules,
because the correct alerts are being generated, but the full packets are
nowhere to be found.  In the config file, I am using the 'config
dump_payload' directive, and in the command used to start snort I am
using the -d option.  

Some information is being logged into directories named after ip
addresses, but I don't think they are complete packets -- for example:

Here's an alert generated by a rule I wrote:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23
TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0xFA54EC12  Ack: 0x0  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23
file, and even in the files that are in there, there is no application
data.

Anyone know what might be going on?







More information about the Snort-users mailing list