[Snort-users] session output

Costas Magos kmag at ...7022...
Tue Nov 4 06:15:11 EST 2003


Well, actually I do know what I told snort to show me: log printable 
keystrokes for all sessions. I have added the following rule

log ip any any <> any any (session: printable;)

to snort.conf for this reason. This is a small experimental 
non-production network with a low volume of collected data. Snort is 
used to capture, log and alert on traffic coming in and going out of 
that network.

I need help on how to interpet the IP address used in the directories 
created by snort. Is it the client (did it initiate the session) or the 
server (did it accept the connection) in the logged sessions?

~kmag

P.S. I' m sorry for messing up the original posting.

J. wrote:

>I'm really not sure I understand your question, but I'm gonna try =)
>
>Without knowing how you are using Snort it's hard to be able to tell you
>what you told snort to show you, especially if you don't know =)
>
>These directories are alert logs and contain summary data for alerts.
>
>Alerts are generated by snort based on rules.  You clearly have defined
>rules and they are occuring.
>
>Perhaps they are not important alerts, but alerts nonetheless...
>
>Unless you are logging rather than alerting...but why would anyone do this
>in ascii??  Scary...
>
>HTH.
>
>J.
>
>
>  
>
>>-----Original Message-----
>>From: snort-users-admin at lists.sourceforge.net
>>[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Costas Magos
>>Sent: Monday, November 03, 2003 8:03 AM
>>To: snort-users at lists.sourceforge.net
>>Subject: [Snort-users] session output
>>
>>
>>hi all,
>>
>>I apologize if this has been discussed before (probably has), but I have
>>searched in the archives with no luck. I am using snort 1.9.0 on a RH
>>7.3 machine and I have the rule:
>>
>>log ip any any <> any any (session: printable;)
>>
>>in my snort.conf, in order to catch the excanged ascii data for all
>>sessions. The snort-output I get is directories named after IP addresses
>>with SESSION:<hi-port>-<lo-port> files (see below an example). What it
>>seems to be confusing for me, is whether the IP addresses used as
>>directory names are the originators or the recipients of the sessions,
>>i.e. did they initialize the session or just accepted it? Under what
>>criteria does snort pick the IP address of the session? How can this IP
>>address be interpreted?
>>
>>[kmag at ...10447...]$ tree
>>|-- 143.101.50.217
>>|   |-- SESSION:2487-80
>>|   `-- SESSION:4961-80
>>|-- 192.163.247.228
>>|   |-- SESSION:1601-80
>>|   |-- SESSION:2297-80
>>|   |-- SESSION:2812-80
>>|   |-- SESSION:4065-80
>>|   `-- SESSION:4855-80
>>|-- 192.163.75.1
>>|   |-- SESSION:1025-443
>>|   |-- SESSION:1026-443
>>|   |-- SESSION:1027-443
>>|   |-- SESSION:54923-26
>>|   `-- SESSION:55021-26
>>|-- 61.134.172.78
>>|   `-- SESSION:4280-80
>>|-- 62.172.135.202
>>|   |-- SESSION:2386-1433
>>|   |-- SESSION:3345-1433
>>|   |-- SESSION:4195-1433
>>|   `-- SESSION:4198-1433
>>|-- 81.89.13.95
>>|   |-- SESSION:4605-26
>>|   `-- SESSION:4738-26
>>
>>Thanks in advance. Kind regards,
>>
>>Costas Magos
>>Internet Systematics Lab
>>NCSR "Demokritos"
>>Athens, Greece
>>
>>
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by: SF.net Giveback Program.
>>Does SourceForge.net help you be more productive?  Does it
>>help you create better code?   SHARE THE LOVE, and help us help
>>YOU!  Click Here: http://sourceforge.net/donate/
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>    
>>
>
>
>
>
>  
>





More information about the Snort-users mailing list