Snort mailing list archives
snort 1.8.3 not logging payload
From: "Benjamin Collins" <bencollins () tamu edu>
Date: Sun, 24 Feb 2002 11:31:30 -0600
I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine. I am trying to log all the data from TCP packets that match certain rules, but it's not working. I know the packets are matching the rules, because the correct alerts are being generated, but the full packets are nowhere to be found. In the config file, I am using the 'config dump_payload' directive, and in the command used to start snort I am using the -d option. Some information is being logged into directories named after ip addresses, but I don't think they are complete packets -- for example: Here's an alert generated by a rule I wrote: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF *****R** Seq: 0xFA54EC12 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23 file, and even in the files that are in there, there is no application data. Anyone know what might be going on? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.3 not logging payload Benjamin Collins (Feb 24)