[Snort-users] Confused on obfuscation

Paul Farley Paul.Farley at ...5111...
Mon Mar 11 09:07:03 EST 2002

That's a mouthful!  

I can't seem to get this to work as I think it's supposed to, any ideas
on what I'm doing wrong?

I want to obfuscate my home_net addresses.( In this case specifically
this host for this example) but not the external addresses.  Everytime I
do this, it blanks all the addresses.

snort -dvr log -O -h MY.NET.9.170/32 'host and (port 4832
and port 80)'

Log directory = /var/log/snort
TCPDUMP file reading mode.
Reading network traffic from "log" file.
snaplen = 150

        --== Initializing Snort ==--

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.4-beta5 (Build 98)
By Martin Roesch (roesch at ...1935..., www.snort.org)
02/16-03:25:26.647724 xxx.xxx.xxx.xxx:4832 -> xxx.xxx.xxx.xxx:80
TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77  P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63  ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A                          lose....


Any suggestions are most appreciated.


Paul Farley
EventLevel, Inc.
Paul.Farley at ...5111...
SMS Message: 6784292716 at ...5208...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Dr.
Richard W. Tibbs
Sent: Monday, March 11, 2002 10:37 AM
To: Roelof JT Jonkman
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Finding a Win32 Snort

I looked at the IDScenter config panels today after installing on Win2K.
It seems there is no socket logging facility available thru IDScenter.
(i.e. like snort -A unsock ...)

Is this true?
Would I need to use command line to use a socket program to capture 
packet data?

Roelof JT Jonkman wrote:

>A whole variety of 'plain' versions of Windows Snort are available from
>Mostly courtesy of Chris Reid, Michael Steele, and Joe McAlerney.
>		roel
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list