Re: Packet payload

[Erek Adams <erek () theadamsfamily net>]

On Sat, 8 Jun 2002, Ashley Thomas wrote:

> When there is a snort alert happens can we see the
> packet payload that caused this alert ?
>
> the logging that was created contained only as much info as the
> alert...
>
> any pointers ?

Perhaps....  First off, we need to know a few things since that makes a
difference on how/where to find data.

        What type of logging?  ASCII, Binary?

        If ASCII the packet payload should be inside the dir you
specified with the "-l <dirname>".  You should find these files in
/var/log/snort unless you picked somewhere else with the commandline switch.
It will be broken down in the format <IP>/<type_of_traffic>:<ports>.  This is
also known as ASCII logging.

        If it's binary logging ("-b" option) then it's located in the binary
file inside of the /var/log/snort dir or wherever you placed it with '-l
<logdir>', then simply use 'snort -vader <filename> -l <logdir>' to dump out
all the packets in the binary logs.

        If you're just getting alerts--You can't see the data.  You didn't
store it anywhere.  :(

        Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users