[Snort-users] session output

Matt Kettler mkettler at ...4108...
Mon Nov 3 08:47:17 EST 2003

At 10:03 AM 11/3/2003, Costas Magos wrote:
>in my snort.conf, in order to catch the excanged ascii data for all 
>sessions. The snort-output I get is directories named after IP addresses 
>with SESSION:<hi-port>-<lo-port> files (see below an example). What it 
>seems to be confusing for me, is whether the IP addresses used as 
>directory names are the originators or the recipients of the sessions, 
>i.e. did they initialize the session or just accepted it? Under what 
>criteria does snort pick the IP address of the session? How can this IP 
>address be interpreted?

Snort should pick the IP address of the "non-local" address, based on the 
-H command-line parameter (note that even though this is called "home 
network" it is not necessarily the the same as HOME_NET in snort.conf, and 
they are configured separately).

If you use no -H parameter, I think it will wind up defaulting to the 
destination address of whatever packet caused it to alert.

Personally, I switched to tcpdump output a long time ago. For speed and 
disk space reasons I'd recommend it over the plain ASCII mode logging. You 
can always convert the binary files to ASCII when you need to with tcpdump 
-xvvr. Tcpdump binary format is also convenient for feeding into a variety 
of other tools, should you want to do so.

More information about the Snort-users mailing list