[Snort-users] matching logs..

Ashley Thomas athomas at ...5484...
Thu Jun 6 11:08:09 EDT 2002

Missed the log for the second case..

The log in the second case looked like this :
( for ./snort -dve -i eth1 -llog-dir2)

06/06-00:20:03.465299 0:X:0:XX:XX:XX -> 0:X:XX:XX:1X:XX type:0x800 len:0x3C
P.Q.R.S:4369 -> A.B.C.D:14630 TCP TTL:113 TOS:0x0 ID:44568 IpLen:20
DgmLen:40 DF
***A**** Seq: 0x5EC73BBF  Ack: 0xF318ACF8  Win: 0x4380  TcpLen: 20



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ashley
Sent: Thursday, June 06, 2002 1:54 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] matching logs..


I was trying to make sense out of the logs i got while running snort.

I ran snort in two modes

1. ./snort -i eth1 -c snort.conf -llog-dir

i get an alert

[**] SHELLCODE x86 setgid 0 [**]
06/06-00:19:41.157463 A.B.C.D:14630 -> P.Q.R.S:4369
TCP TTL:62 TOS:0x0 ID:51704 IpLen:20 DgmLen:1480 DF
***A**** Seq: 0xF2FC9838  Ack: 0x5EC73BBF  Win: 0x16D0  TcpLen: 20

2. I had also ran snort as
./snort -dve -i eth1 -llog-dir2

There should be a corresponding entry for this alert in log-dir2 also ,
right ?

I see lot of files TCP:port1-port2 where port1-port2 are numbers

Now i look for the combination 14630:4369 since the alert is that combo.
In fact there is a file TCP:14630-4369 but
it shows
all the logs having P.Q.R.S:4369 -> A.B.C.D:14630 EXACTLY opposite as in the
alert !!
and there is no file TCP:4369-14630 !!

Why is the direction shown in the opposite direction ? Does that mean
If anyone could clarify it would be great !



Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list