Snort mailing list archives
Re: session output
From: Costas Magos <kmag () lab epmhs gr>
Date: Tue, 04 Nov 2003 19:21:49 +0200
Thank you all. You' ve been most helpful. ~kmag Erek Adams wrote:
On Mon, 3 Nov 2003, Costas Magos wrote: [...snip...]When not using the -h parameter, it seems that the IP addresses used as directories, were from machines that *initiated* the sessions. This was verified against the actual binary, using ethereal. This was true for all sessions except for two IRC sessions, where the session file indicated that a non-local IP from port 6667 initiated a connection toward a local IP from port 6667 (that is, a server connecting to a client...) and ethereal revealed exactly the opposite, the local IP connecting to a remote IRC server. It is for this contradiction, I opened this thread.If you don't use "-h <foo>", Snort should build the directory based on the 'higher' port number "first", which usually should be the remote system. In the case where the ports are equal, Snort picks the 'higher' IP, IIRC. To be honest, you'll be _much_ better off logging to binary (pcap) and then if you need the packet broken down, rerun Snort over the pcap file and use the -h <foo> switch. Quick, simple, fast. And you've got your pcap to go back and reread the data from with a: snort -dvr <pcap_file> "host <foo>" Or whatever BPF filter you want to drop in. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- session output Costas Magos (Nov 03)
- Re: session output Matt Kettler (Nov 03)
- Re: session output Costas Magos (Nov 04)
- Re: session output Erek Adams (Nov 04)
- Re: session output Costas Magos (Nov 05)
- Re: session output Costas Magos (Nov 04)
- Re: session output Matt Kettler (Nov 03)
- <Possible follow-ups>
- Re: session output Costas Magos (Nov 04)