[Snort-users] matching logs..

Ashley Thomas athomas at ...5484...
Thu Jun 6 10:55:04 EDT 2002


Hi,

I was trying to make sense out of the logs i got while running snort.

I ran snort in two modes

1. ./snort -i eth1 -c snort.conf -llog-dir

i get an alert

[**] SHELLCODE x86 setgid 0 [**]
06/06-00:19:41.157463 A.B.C.D:14630 -> P.Q.R.S:4369
TCP TTL:62 TOS:0x0 ID:51704 IpLen:20 DgmLen:1480 DF
***A**** Seq: 0xF2FC9838  Ack: 0x5EC73BBF  Win: 0x16D0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

2. I had also ran snort as
./snort -dve -i eth1 -llog-dir2

There should be a corresponding entry for this alert in log-dir2 also ,
right ?

I see lot of files TCP:port1-port2 where port1-port2 are numbers

Now i look for the combination 14630:4369 since the alert is that combo.
In fact there is a file TCP:14630-4369 but
it shows
all the logs having P.Q.R.S:4369 -> A.B.C.D:14630 EXACTLY opposite as in the
alert !!
----------------------------------------------------------------------------
----------
and there is no file TCP:4369-14630 !!

Why is the direction shown in the opposite direction ? Does that mean
something..
If anyone could clarify it would be great !


thanks







More information about the Snort-users mailing list