Snort mailing list archives

Logging packet contents in alerts.

From: "Matthew Collins" <Matthew.Collins () northernregistrars co uk>
Date: Wed, 06 Jun 2001 17:10:16 +0100

I'm currently using snort 1.7 as the IDS for our company. It is set up to log all packets (and application layer) in
tcpdump format. Alerts are recorded to a text file, and also to syslog. I've got a script that checks to see if the
alert file has changed, and mails those changes to me. Cron runs this script every 15 minutes.
This is running very well, alerts pop up on my email now and again (mostly port scans & NetBIOS name service attempts).
However, sometimes I get an alert like this. (Our IP address munged)

[**] WEB-IIS global-asa access [**]
06/06-15:11:33.932815 207.46.130.57:80 -> aa.bb.cc.dd:1091
TCP TTL:53 TOS:0x0 ID:287 IpLen:20 DgmLen:1408 DF
***A**** Seq: 0x3BB0A9DE Ack: 0xD30A3988 Win: 0x3B14 TcpLen: 20

Now, this is either,

A. False alarm, move along, nothing to see here.
B. Someone in our company deciding to do a bit of web defacement in their lunch hour.

Now to check this, I've got to ssh onto the snort box, restart snort, scp the tcpdump log file to my machine, run snort
with various options to extract the packet contents and then examine the packet.
Depending how late in the day this is, this can take some time. (For various reasons, the extract cannot be done on the
snort box itself)

If the packet contents were in the alert, I'd be able to tell straight away if this was a false alarm. Is there any way
to get snort to do this?

****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, arrive late or contain
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Logging packet contents in alerts. Matthew Collins (Jun 06)
- Re: Logging packet contents in alerts. Colin Wu (Jun 06)
- <Possible follow-ups>
- Re: Logging packet contents in alerts. Matthew Collins (Jun 07)