[Snort-users] matching logs..

Erek Adams erek at ...577...
Thu Jun 6 11:09:11 EDT 2002

On Thu, 6 Jun 2002, Ashley Thomas wrote:

> I was trying to make sense out of the logs i got while running snort.


> [**] SHELLCODE x86 setgid 0 [**]
> 06/06-00:19:41.157463 A.B.C.D:14630 -> P.Q.R.S:4369
> TCP TTL:62 TOS:0x0 ID:51704 IpLen:20 DgmLen:1480 DF
> ***A**** Seq: 0xF2FC9838  Ack: 0x5EC73BBF  Win: 0x16D0  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 2. I had also ran snort as
> ./snort -dve -i eth1 -llog-dir2
> There should be a corresponding entry for this alert in log-dir2 also ,
> right ?
> I see lot of files TCP:port1-port2 where port1-port2 are numbers
> Now i look for the combination 14630:4369 since the alert is that combo.
> In fact there is a file TCP:14630-4369 but
> it shows
> all the logs having P.Q.R.S:4369 -> A.B.C.D:14630 EXACTLY opposite as in the
> alert !!
> ----------------------------------------------------------------------------
> ----------
> and there is no file TCP:4369-14630 !!
> Why is the direction shown in the opposite direction ? Does that mean
> something..
> If anyone could clarify it would be great !


This could be quite normal.  From:

"Of course, this assumes you have a directory named "log" in the current
directory. If you don't, Snort will exit with an error message.
When Snort runs in this mode, it collects every packet it sees and places it
in a directory hierarchy based upon the IP address of one of
the hosts in the datagram.

If you just specify a plain "-l" switch, you may notice that Snort sometimes
uses the address of the remote computer as the directory in
which it places packets, and sometimes it uses the local host address. In
order to log relative to the home network, you need to tell
Snort which network is the home network:

      ./snort -dev -l ./log -h

This rule tells Snort that you want to print out the data link and TCP/IP
headers as well as application data into the directory ./log,
and you want to log the packets relative to the class C network.
All incoming packets will be recorded into subdirectories of
the log directory, with the directory names being based on the address of the
remote (non-192.168.1) host. Note that if both hosts are on
the home network, then they are recorded based upon the higher of the two's
port numbers, or in the case of a tie, the source address. "

More information about the Snort-users mailing list