[Snort-users] Snort Alert Log Timestamps

Balasubramaniam Natarajan bala150985 at ...11827...
Sun Feb 5 00:35:03 EST 2017


Could you do a file on your *.pcap file and share the output?  If the file
is very small, what do you get when you do this tcpdump -r yourfile.pcap
-nn -X ?

On Sat, Feb 4, 2017 at 3:56 AM, Jones, Christopher (Chris) (Maj) <
cajones1 at ...17771...> wrote:

> Team,
>
>
>
> Snort is working for me and producing some alerts on the pcap files I want
> to analyze.  The problem I’m having now is matching the alert timestamp to
> a packet in WireShark.  For instance, the following alert gives a timestamp
> of 08/16-03:22:49.286138 but that packet does not exist.  The closest one
> is 03:22:48.64 and 03:22:50.65.
>
> [**] [139:1:1] (spp_sdf) SDF Combination Alert [**]
>
> [Classification: Sensitive Data was Transmitted Across the Network]
> [Priority: 2]
>
> 08/16-03:22:49.286138 216.137.xxx.xxx -> 207.140.xxx.xxx
>
> PROTO:254 TTL:63 TOS:0x0 ID:33005 IpLen:20 DgmLen:20 DF
>
>
>
> I’d really like to find the offending packet to better understand what
> caused the alert.  Can someone help me understand how to best find the
> packet in question given a snort alert?
>
>
>
> Thanks again.
>
>
>
> Chris
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Regards,
Balasubramaniam Natarajan
http://bullet-bala.blogspot.in/ <http://blog.etutorshop.com>
https://www.youracclaim.com/user/balasubramaniam-natarajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170205/3ed4778f/attachment.html>


More information about the Snort-users mailing list