Snort mailing list archives
packet decodes on full alerts
From: Lance Spitzner <lance () honeynet org>
Date: Mon, 19 Nov 2001 15:36:29 -0600 (CST)
Question on 1.8 I have Snort sending full alerts to a log file. output alert_full: /var/adm/snort_alerts Is there anyway I can get the alerts to include the actual packet payload of the packet that initiated the alert? I have Snort running with the '-d' option, thought that would do the trick but it is not. Below are the alerts I am getting, I would like to get the packet payload also. Thanks! [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 11/19-20:49:49.132647 216.156.130.2:3307 -> 172.16.1.108:80 TCP TTL:115 TOS:0x0 ID:20849 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x83F3751B Ack: 0xB46F9 Win: 0x2238 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 11/19-20:49:49.226834 216.156.130.2:3307 -> 172.16.1.108:80 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:120 ***AP*** Seq: 0x83F3751B Ack: 0x83F3751B Win: 0x21E8 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 11/19-20:49:59.214308 216.156.130.2:4162 -> 172.16.1.108:80 TCP TTL:115 TOS:0x0 ID:43939 IpLen:20 DgmLen:175 DF ***AP*** Seq: 0x83F382C5 Ack: 0xB46FB Win: 0x2238 TcpLen: 20 -- Lance Spitzner http://project.honeynet.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet decodes on full alerts Lance Spitzner (Nov 19)
- Re: packet decodes on full alerts Erek Adams (Nov 19)
- Re: packet decodes on full alerts Phil Wood (Nov 19)