[Snort-users] Alert messages in packet dumps
Neil Dickey
neil at ...1633...
Mon Apr 14 06:47:06 EDT 2003
I solved my problem, described below in my post to the list last week,
by abandoning the tcpdump format output. I would have liked to use it
because it is faster and more economical of space, but I never could
get it to do what I wanted it to and thought it should.
Best regards,
Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>I've read the Snort manual, the man page, and checked the FAQ, but I
>haven't found the answer to my problem. First, here's what I'm running:
>
> Snort version 2.0.0.rc3
> Solaris 2.7
>
>Alerts are going into an ASCII alert file, and the packets are stored
>in a tcpdump-format file. This is the relevant entry in my snort.conf
>file:
>
> output log_tcpdump: /$LOGPATH/tcpdump.log
>
>Here is my command line for invoking Snort in daemon mode:
>
> snort -dDe -A full -h my.home.net.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME
-o -k none
>
>This is what I'm currently using to translate the tcpdump file:
>
> snort -deX -q -A full -l $LOGPATH -r $LOGPATH/$READFILE
>
>The problem is that when I decode the tcpdump file I haven't found a way
>to get the alert messages to be written with the packet headers and contents
>that the associated rule generated. Here's what I get when I don't use
>the tcpdump output option:
>
>[**] WEB-CGI formmail access [**]
>04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800
len:0x10A
>bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20
DgmLen:252 DF
>***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20
>47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb.
>99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi
>2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl
>[ ... ]
>
>Here's all I can get so far when I decode the tcpdump output:
>
>04/01-01:30:38.479153 99:88:77:66:55:44 -> 00:11:22:33:44:55 type:0x800
len:0x10A
>bad.guy.net.188:1562 -> my.home.net.6:80 TCP TTL:107 TOS:0x0 ID:7007 IpLen:20
DgmLen:252 DF
>***AP*** Seq: 0x1101259E Ack: 0xDA5E3BE7 Win: 0x2238 TcpLen: 20
>47 45 54 20 68 74 74 70 3A 2F 2F 99 99 99 99 99 GET http://wweb.
>99 99 99 99 99 99 99 99 99 65 64 75 2F 63 67 69 serv.uni.edu/cgi
>2D 62 69 6E 2F 66 6F 72 6D 6D 61 69 6C 2E 70 6C -bin/formmail.pl
>[ ... ]
>
>If I include the Snort configuration file on the command line I use to
>translate the tcpdump file ...
>
> -c $RULESPATH/$RULESNAME
>
>... the output is then in "alert" format, that is, in chronological order
>and all in one file, rather than having the packets stored in individual
>subdirectories named for the external net IP address -- which is what I
>want.
>
>So, how do I use the tcpdump-format data to extract packet captures, with
>headers, sorted by the external net IP address, that also include the alert
>message for each packet? Any help will be very much appreciated.
>
[ .... ]
More information about the Snort-users
mailing list