Snort mailing list archives

packet decodes on full alerts

From: Lance Spitzner <lance () honeynet org>
Date: Mon, 19 Nov 2001 15:36:29 -0600 (CST)

Question on 1.8

I have Snort sending full alerts to a log file.

   output alert_full: /var/adm/snort_alerts

Is there anyway I can get the alerts to include the actual
packet payload of the packet that initiated the alert?  I
have Snort running with the '-d' option, thought that
would do the trick but it is not.  Below are the alerts
I am getting, I would like to get the packet payload also.

Thanks!



[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:49.132647 216.156.130.2:3307 -> 172.16.1.108:80
TCP TTL:115 TOS:0x0 ID:20849 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x83F3751B  Ack: 0xB46F9  Win: 0x2238  TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:49.226834 216.156.130.2:3307 -> 172.16.1.108:80
TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:120
***AP*** Seq: 0x83F3751B  Ack: 0x83F3751B  Win: 0x21E8  TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
11/19-20:49:59.214308 216.156.130.2:4162 -> 172.16.1.108:80
TCP TTL:115 TOS:0x0 ID:43939 IpLen:20 DgmLen:175 DF
***AP*** Seq: 0x83F382C5  Ack: 0xB46FB  Win: 0x2238  TcpLen: 20

-- 
Lance Spitzner
http://project.honeynet.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

packet decodes on full alerts Lance Spitzner (Nov 19)
- Re: packet decodes on full alerts Erek Adams (Nov 19)
- Re: packet decodes on full alerts Phil Wood (Nov 19)