[Snort-users] Snort Alert Log Timestamps

Jones, Christopher (Chris) (Maj) cajones1 at ...17771...
Fri Feb 3 17:26:12 EST 2017


Snort is working for me and producing some alerts on the pcap files I want to analyze.  The problem I'm having now is matching the alert timestamp to a packet in WireShark.  For instance, the following alert gives a timestamp of 08/16-03:22:49.286138 but that packet does not exist.  The closest one is 03:22:48.64 and 03:22:50.65.

[**] [139:1:1] (spp_sdf) SDF Combination Alert [**]
[Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2]
08/16-03:22:49.286138 216.137.xxx.xxx -> 207.140.xxx.xxx
PROTO:254 TTL:63 TOS:0x0 ID:33005 IpLen:20 DgmLen:20 DF

I'd really like to find the offending packet to better understand what caused the alert.  Can someone help me understand how to best find the packet in question given a snort alert?

Thanks again.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170203/e2ffc2ba/attachment.html>

More information about the Snort-users mailing list