[Snort-users] Snort with DHCP

Erek Adams erek at ...950...
Sat May 3 12:50:06 EDT 2003


On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> Oh I don't want to see the logs in tcpdump format. Now with the
> configuration I am running,
> snort is generation two files in /var/log/snort. 1) Alert, which lists
> the traffic info in an understandable way.
> 2) snort.log , which has to be decoded to read.
>
> I want all the stuff to go into alert file and not in tcpdump format.
> What should I do for that? Will it be enough if I remove the -b option
> and keep only -d?

Even if you set the alert mode to 'Full', you won't get any real info in
the alert file.  For example:

  [**] [1:498:3] ATTACK RESPONSES id check returned root [**]
  [Classification: Potentially Bad Traffic] [Priority: 2]
  04/11-10:45:33.427621 66.35.250.206:50797 -> 192.168.0.2:25
  TCP TTL:51 TOS:0x0 ID:63215 IpLen:20 DgmLen:1500 DF
  ***A**** Seq: 0xD8DC285C  Ack: 0x62241510  Win: 0x1D50  TcpLen: 32
  TCP Options (3) => NOP NOP TS: 1274931858 521985446

Whereas the pcap has the following:

  04/11-10:45:33.427621 66.35.250.206:50797 -> 192.168.0.2:25
  TCP TTL:51 TOS:0x0 ID:63215 IpLen:20 DgmLen:1500 DF
  ***A**** Seq: 0xD8DC285C  Ack: 0x62241510  Win: 0x1D50  TcpLen: 32
  TCP Options (3) => NOP NOP TS: 1274931858 521985446
  41 43 4B 20 52 45 53 50 4F 4E 53 45 53 20 69 64  ACK RESPONSES id
  0D 0A 3E 63 68 65 63 6B 20 72 65 74 75 72 6E 65  ..>check returne
  64 20 72 6F 6F 74 22 3B 20 63 6F 6E 74 65 6E 74  d root"; content

[...rest of packet snipped...]

Basically the alert file is there only for you to be able to glance thru
and see what's going on.  Otherwise it's fairly useless.

With the pcap you can actually extract the data that's needed, show it in
a standard format, have everything that you would need to give to someone
and say 'They were attacking me'.  It's got _full_ packet in the pcap,
including the payload data.  Not just an alert...

I'd suggest that you use the binary (pcap) logging in addition to the full
alerts, if you can.  That will provide the best of both worlds.  You'll
have all the data from the packet in if you need it, and you'll have a
file that you can glance thru without parsing.

BTW, If you need to extract data from the pcap file:

	snort -vdr tcpdump.log.1049980538 'host 66.35.250.206'

Was the command that I used to extract that full packet from the pcap.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list