[Snort-users] Snort Alert Log Timestamps
Jones, Christopher (Chris) (Maj)
cajones1 at ...17771...
Fri Feb 3 17:26:12 EST 2017
Snort is working for me and producing some alerts on the pcap files I want to analyze. The problem I'm having now is matching the alert timestamp to a packet in WireShark. For instance, the following alert gives a timestamp of 08/16-03:22:49.286138 but that packet does not exist. The closest one is 03:22:48.64 and 03:22:50.65.
[**] [139:1:1] (spp_sdf) SDF Combination Alert [**]
[Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2]
08/16-03:22:49.286138 216.137.xxx.xxx -> 207.140.xxx.xxx
PROTO:254 TTL:63 TOS:0x0 ID:33005 IpLen:20 DgmLen:20 DF
I'd really like to find the offending packet to better understand what caused the alert. Can someone help me understand how to best find the packet in question given a snort alert?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users