[Snort-users] session output
mkettler at ...4108...
Mon Nov 3 08:47:17 EST 2003
At 10:03 AM 11/3/2003, Costas Magos wrote:
>in my snort.conf, in order to catch the excanged ascii data for all
>sessions. The snort-output I get is directories named after IP addresses
>with SESSION:<hi-port>-<lo-port> files (see below an example). What it
>seems to be confusing for me, is whether the IP addresses used as
>directory names are the originators or the recipients of the sessions,
>i.e. did they initialize the session or just accepted it? Under what
>criteria does snort pick the IP address of the session? How can this IP
>address be interpreted?
Snort should pick the IP address of the "non-local" address, based on the
-H command-line parameter (note that even though this is called "home
network" it is not necessarily the the same as HOME_NET in snort.conf, and
they are configured separately).
If you use no -H parameter, I think it will wind up defaulting to the
destination address of whatever packet caused it to alert.
Personally, I switched to tcpdump output a long time ago. For speed and
disk space reasons I'd recommend it over the plain ASCII mode logging. You
can always convert the binary files to ASCII when you need to with tcpdump
-xvvr. Tcpdump binary format is also convenient for feeding into a variety
of other tools, should you want to do so.
More information about the Snort-users