[Snort-users] session output
kmag at ...7022...
Wed Nov 5 07:41:36 EST 2003
Thank you all. You' ve been most helpful.
Erek Adams wrote:
>On Mon, 3 Nov 2003, Costas Magos wrote:
>>When not using the -h parameter, it seems that the IP addresses used as
>>directories, were from machines that *initiated* the sessions. This was
>>verified against the actual binary, using ethereal. This was true for
>>all sessions except for two IRC sessions, where the session file
>>indicated that a non-local IP from port 6667 initiated a connection
>>toward a local IP from port 6667 (that is, a server connecting to a
>>client...) and ethereal revealed exactly the opposite, the local IP
>>connecting to a remote IRC server. It is for this contradiction, I
>>opened this thread.
>If you don't use "-h <foo>", Snort should build the directory based on the
>'higher' port number "first", which usually should be the remote system.
>In the case where the ports are equal, Snort picks the 'higher' IP, IIRC.
>To be honest, you'll be _much_ better off logging to binary (pcap) and
>then if you need the packet broken down, rerun Snort over the pcap file
>and use the -h <foo> switch. Quick, simple, fast. And you've got your
>pcap to go back and reread the data from with a:
> snort -dvr <pcap_file> "host <foo>"
>Or whatever BPF filter you want to drop in.
> "When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users