[Snort-users] session output

Costas Magos kmag at ...7022...
Wed Nov 5 07:41:36 EST 2003


Thank you all. You' ve been most helpful.

~kmag

Erek Adams wrote:

>On Mon, 3 Nov 2003, Costas Magos wrote:
>
>[...snip...]
>
>  
>
>>When not using the -h parameter, it seems that the IP addresses used as
>>directories, were from machines that *initiated* the sessions. This was
>>verified against the actual binary, using ethereal. This was true for
>>all sessions except for two IRC sessions, where the session file
>>indicated that a non-local IP from port 6667 initiated a connection
>>toward a local IP from port 6667 (that is, a server connecting to a
>>client...) and ethereal revealed exactly the opposite, the local IP
>>connecting to a remote IRC server. It is for this contradiction, I
>>opened this thread.
>>    
>>
>
>If you don't use "-h <foo>", Snort should build the directory based on the
>'higher' port number "first", which usually should be the remote system.
>In the case where the ports are equal, Snort picks the 'higher' IP, IIRC.
>
>To be honest, you'll be _much_ better off logging to binary (pcap) and
>then if you need the packet broken down, rerun Snort over the pcap file
>and use the -h <foo> switch.  Quick, simple, fast.  And you've got your
>pcap to go back and reread the data from with a:
>
>	snort -dvr <pcap_file> "host <foo>"
>
>Or whatever BPF filter you want to drop in.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>  
>





More information about the Snort-users mailing list