[Snort-users] Alert messages in packet dumps

Neil Dickey neil at ...1633...
Wed Apr 9 11:37:06 EDT 2003


I've read the Snort manual, the man page, and checked the FAQ, but I
haven't found the answer to my problem.  First, here's what I'm running:

  Snort version 2.0.0.rc3
  Solaris 2.7

Alerts are going into an ASCII alert file, and the packets are stored
in a tcpdump-format file.  This is the relevant entry in my snort.conf
file:

  output log_tcpdump: /$LOGPATH/tcpdump.log

Here is my command line for invoking Snort in daemon mode:

  snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o -k none

This is what I'm currently using to translate the tcpdump file:

  snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE

The problem is that when I decode the tcpdump file I haven't found a way
to get the alert messages to be written with the packet headers and contents
that the associated rule generated.  Here's what I get when I don't use
the tcpdump output option:

[**] WEB-CGI formmail access [**]
04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 len:0x10A
bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 DgmLen:252 DF
***AP*** Seq: 0x1101259E  Ack: 0xDA5E3BE7  Win: 0x2238  TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99  GET http://wweb.
99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69  serv.uni.edu/cgi
2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C  -bin/formmail.pl
[ ... ]

Here's all I can get so far when I decode the tcpdump output:

04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 len:0x10A
bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 DgmLen:252 DF
***AP*** Seq: 0x1101259E  Ack: 0xDA5E3BE7  Win: 0x2238  TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99  GET http://wweb.
99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69  serv.uni.edu/cgi
2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C  -bin/formmail.pl
[ ... ]

If I include the Snort configuration file on the command line I use to
translate the tcpdump file ...

  -c $RULESPATH/$RULESNAME

... the output is then in "alert" format, that is, in chronological order
and all in one file, rather than having the packets stored in individual
subdirectories named for the external net IP address -- which is what I
want.

So, how do I use the tcpdump-format data to extract packet captures, with
headers, sorted by the external net IP address, that also include the alert
message for each packet?  Any help will be very much appreciated.

On another note, Erek Adams posted some links yesterday to guidelines
on using the Snort list and I particularly noticed the comments regarding
the outlandish disclaimers, warnings, and confidentiality statements, now
so much in vogue.  I encountered a remarkably egregious one on another
list I read, and couldn't resist parodying it.  So don't freak, or drink
yourself blotto if you're playing the game, when you see the one below.
It's a joke, obviously, but it's not *too* far from the original.  Honest.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

**********************************************************************

This e-mail and any file(s) transmitted with it are TOP SECRET and
not intended to be read by anybody, let alone by you.  If you have
received this e-mail, then you must destroy it immediately, unread,
by eating it, or men who wear black suits and dark glasses will
whisk you away to a remote, secure, and undisclosed location, there
to do unspeakable things to your tender parts.  If you haven't
received this e-mail, and never do, then you are probably safe for
the time being.

This footnote also confirms that this message has been swept to the
best of our current abilities to remove dust, pet dander, pollen,
beach sand, Britney Spears, and any rational content that may have
inadvertently been included in it.  You should NOT take this as any
guarantee or warrant that such material is free of computer viruses,
worms, or the like, and if you really ARE willing to trust people
far away, whom you've never met and never will, who are running
software you are not familiar with, to keep YOUR OWN computer virus-
free, then you have no business being within arm's reach of anything
that is connected to the internet.

Occasionally electronic communications are monitored and stored in
convenient databases by the Men-In-Black-Suits mentioned above, by
various crackers, terrorists, thieves, pornographers, foreign
governments, and your next-door neighbor's kid, in order that they
may keep tabs on what you are doing.  These people are not obliged
in any effective manner to respect some right to privacy you may
think you enjoy, and, as a matter of fact, derive endless amusement
from your profoundly naive assumption that it exists.  Skeptical?
Have a look here, and don't neglect the back issues:

  http://www.phrack.org/

**********************************************************************






More information about the Snort-users mailing list