[Snort-users] Alert messages in packet dumps

Neil Dickey neil at ...1633...
Mon Apr 14 06:47:06 EDT 2003


I solved my problem, described below in my post to the list last week,
by abandoning the tcpdump format output.  I would have liked to use it
because it is faster and more economical of space, but I never could
get it to do what I wanted it to and thought it should.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

>I've read the Snort manual, the man page, and checked the FAQ, but I
>haven't found the answer to my problem.  First, here's what I'm running:
>
>  Snort version 2.0.0.rc3
>  Solaris 2.7
>
>Alerts are going into an ASCII alert file, and the packets are stored
>in a tcpdump-format file.  This is the relevant entry in my snort.conf
>file:
>
>  output log_tcpdump: /$LOGPATH/tcpdump.log
>
>Here is my command line for invoking Snort in daemon mode:
>
>  snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME 
-o -k none
>
>This is what I'm currently using to translate the tcpdump file:
>
>  snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE
>
>The problem is that when I decode the tcpdump file I haven't found a way
>to get the alert messages to be written with the packet headers and contents
>that the associated rule generated.  Here's what I get when I don't use
>the tcpdump output option:
>
>[**] WEB-CGI formmail access [**]
>04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 
len:0x10A
>bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 
DgmLen:252 DF
>***AP*** Seq: 0x1101259E  Ack: 0xDA5E3BE7  Win: 0x2238  TcpLen: 20
>47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99  GET http://wweb.
>99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69  serv.uni.edu/cgi
>2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C  -bin/formmail.pl
>[ ... ]
>
>Here's all I can get so far when I decode the tcpdump output:
>
>04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800 
len:0x10A
>bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20 
DgmLen:252 DF
>***AP*** Seq: 0x1101259E  Ack: 0xDA5E3BE7  Win: 0x2238  TcpLen: 20
>47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99  GET http://wweb.
>99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69  serv.uni.edu/cgi
>2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C  -bin/formmail.pl
>[ ... ]
>
>If I include the Snort configuration file on the command line I use to
>translate the tcpdump file ...
>
>  -c $RULESPATH/$RULESNAME
>
>... the output is then in "alert" format, that is, in chronological order
>and all in one file, rather than having the packets stored in individual
>subdirectories named for the external net IP address -- which is what I
>want.
>
>So, how do I use the tcpdump-format data to extract packet captures, with
>headers, sorted by the external net IP address, that also include the alert
>message for each packet?  Any help will be very much appreciated.
>
[ .... ]




More information about the Snort-users mailing list