[Snort-users] session output
kmag at ...7022...
Tue Nov 4 06:15:15 EST 2003
Matt Kettler wrote:
> At 10:03 AM 11/3/2003, Costas Magos wrote:
>> in my snort.conf, in order to catch the excanged ascii data for all
>> sessions. The snort-output I get is directories named after IP
>> addresses with SESSION:<hi-port>-<lo-port> files (see below an
>> example). What it seems to be confusing for me, is whether the IP
>> addresses used as directory names are the originators or the
>> recipients of the sessions, i.e. did they initialize the session or
>> just accepted it? Under what criteria does snort pick the IP address
>> of the session? How can this IP address be interpreted?
> Snort should pick the IP address of the "non-local" address, based on
> the -H command-line parameter (note that even though this is called
> "home network" it is not necessarily the the same as HOME_NET in
> snort.conf, and they are configured separately).
You are right, using the -h parameter things cleared up. Only non-local
IP addresses are logged.
> If you use no -H parameter, I think it will wind up defaulting to the
> destination address of whatever packet caused it to alert.
When not using the -h parameter, it seems that the IP addresses used as
directories, were from machines that *initiated* the sessions. This was
verified against the actual binary, using ethereal. This was true for
all sessions except for two IRC sessions, where the session file
indicated that a non-local IP from port 6667 initiated a connection
toward a local IP from port 6667 (that is, a server connecting to a
client...) and ethereal revealed exactly the opposite, the local IP
connecting to a remote IRC server. It is for this contradiction, I
opened this thread.
> Personally, I switched to tcpdump output a long time ago. For speed
> and disk space reasons I'd recommend it over the plain ASCII mode
> logging. You can always convert the binary files to ASCII when you
> need to with tcpdump -xvvr. Tcpdump binary format is also convenient
> for feeding into a variety of other tools, should you want to do so.
More information about the Snort-users