[Snort-users] session output

Costas Magos kmag at ...7022...
Mon Nov 3 07:04:17 EST 2003


hi all,

I apologize if this has been discussed before (probably has), but I have 
searched in the archives with no luck. I am using snort 1.9.0 on a RH 
7.3 machine and I have the rule:

log ip any any <> any any (session: printable;)

in my snort.conf, in order to catch the excanged ascii data for all 
sessions. The snort-output I get is directories named after IP addresses 
with SESSION:<hi-port>-<lo-port> files (see below an example). What it 
seems to be confusing for me, is whether the IP addresses used as 
directory names are the originators or the recipients of the sessions, 
i.e. did they initialize the session or just accepted it? Under what 
criteria does snort pick the IP address of the session? How can this IP 
address be interpreted?

[kmag at ...10447...]$ tree
|-- 143.101.50.217
|   |-- SESSION:2487-80
|   `-- SESSION:4961-80
|-- 192.163.247.228
|   |-- SESSION:1601-80
|   |-- SESSION:2297-80
|   |-- SESSION:2812-80
|   |-- SESSION:4065-80
|   `-- SESSION:4855-80
|-- 192.163.75.1
|   |-- SESSION:1025-443
|   |-- SESSION:1026-443
|   |-- SESSION:1027-443
|   |-- SESSION:54923-26
|   `-- SESSION:55021-26
|-- 61.134.172.78
|   `-- SESSION:4280-80
|-- 62.172.135.202
|   |-- SESSION:2386-1433
|   |-- SESSION:3345-1433
|   |-- SESSION:4195-1433
|   `-- SESSION:4198-1433
|-- 81.89.13.95
|   |-- SESSION:4605-26
|   `-- SESSION:4738-26

Thanks in advance. Kind regards,

Costas Magos
Internet Systematics Lab
NCSR "Demokritos"
Athens, Greece





More information about the Snort-users mailing list