[Snort-users] Packet payload
erek at ...577...
Sat Jun 8 20:12:02 EDT 2002
On Sat, 8 Jun 2002, Ashley Thomas wrote:
> When there is a snort alert happens can we see the
> packet payload that caused this alert ?
> the logging that was created contained only as much info as the
> any pointers ?
Perhaps.... First off, we need to know a few things since that makes a
difference on how/where to find data.
What type of logging? ASCII, Binary?
If ASCII the packet payload should be inside the dir you
specified with the "-l <dirname>". You should find these files in
/var/log/snort unless you picked somewhere else with the commandline switch.
It will be broken down in the format <IP>/<type_of_traffic>:<ports>. This is
also known as ASCII logging.
If it's binary logging ("-b" option) then it's located in the binary
file inside of the /var/log/snort dir or wherever you placed it with '-l
<logdir>', then simply use 'snort -vader <filename> -l <logdir>' to dump out
all the packets in the binary logs.
If you're just getting alerts--You can't see the data. You didn't
store it anywhere. :(
Hope that helps!
More information about the Snort-users