[Snort-users] session output
erek at ...950...
Tue Nov 4 08:26:13 EST 2003
On Mon, 3 Nov 2003, Costas Magos wrote:
> When not using the -h parameter, it seems that the IP addresses used as
> directories, were from machines that *initiated* the sessions. This was
> verified against the actual binary, using ethereal. This was true for
> all sessions except for two IRC sessions, where the session file
> indicated that a non-local IP from port 6667 initiated a connection
> toward a local IP from port 6667 (that is, a server connecting to a
> client...) and ethereal revealed exactly the opposite, the local IP
> connecting to a remote IRC server. It is for this contradiction, I
> opened this thread.
If you don't use "-h <foo>", Snort should build the directory based on the
'higher' port number "first", which usually should be the remote system.
In the case where the ports are equal, Snort picks the 'higher' IP, IIRC.
To be honest, you'll be _much_ better off logging to binary (pcap) and
then if you need the packet broken down, rerun Snort over the pcap file
and use the -h <foo> switch. Quick, simple, fast. And you've got your
pcap to go back and reread the data from with a:
snort -dvr <pcap_file> "host <foo>"
Or whatever BPF filter you want to drop in.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users