[Snort-users] session output

Costas Magos kmag at ...7022...
Tue Nov 4 06:15:15 EST 2003


Matt Kettler wrote:

> At 10:03 AM 11/3/2003, Costas Magos wrote:
>
>> in my snort.conf, in order to catch the excanged ascii data for all 
>> sessions. The snort-output I get is directories named after IP 
>> addresses with SESSION:<hi-port>-<lo-port> files (see below an 
>> example). What it seems to be confusing for me, is whether the IP 
>> addresses used as directory names are the originators or the 
>> recipients of the sessions, i.e. did they initialize the session or 
>> just accepted it? Under what criteria does snort pick the IP address 
>> of the session? How can this IP address be interpreted?
>
>
> Snort should pick the IP address of the "non-local" address, based on 
> the -H command-line parameter (note that even though this is called 
> "home network" it is not necessarily the the same as HOME_NET in 
> snort.conf, and they are configured separately).
>
You are right, using the -h parameter things cleared up. Only non-local 
IP addresses are logged.

> If you use no -H parameter, I think it will wind up defaulting to the 
> destination address of whatever packet caused it to alert.
>
When not using the -h parameter, it seems that the IP addresses used as 
directories, were from machines that *initiated* the sessions. This was 
verified against the actual binary, using ethereal. This was true for 
all sessions except for two IRC sessions, where the session file 
indicated that a non-local IP from port 6667 initiated a connection 
toward a local IP from port 6667 (that is, a server connecting to a 
client...) and ethereal revealed exactly the opposite, the local IP 
connecting to a remote IRC server. It is for this contradiction, I 
opened this thread.

> Personally, I switched to tcpdump output a long time ago. For speed 
> and disk space reasons I'd recommend it over the plain ASCII mode 
> logging. You can always convert the binary files to ASCII when you 
> need to with tcpdump -xvvr. Tcpdump binary format is also convenient 
> for feeding into a variety of other tools, should you want to do so.
>
>
>
>
>
>
>
>
>





More information about the Snort-users mailing list