Snort mailing list archives
Re: Showing dump of only matched paquets.
From: Gustavo Guillermo Perez <gustavo () compunauta com>
Date: Tue, 22 Mar 2011 23:59:18 -0600
El Martes 22 Marzo 2011, Russ Combs escribió:
For IDS mode, -A cmg will dump the alerting packets in hex.
Thanks a lot, but starting that way I've got a quiet console and no logs and no alerts. I've read the manual and was so hard to figure out how to write a rule. just because I've asked the list, sorry is this looks like a noob question.! mbu5 gus # snort -A cmg -c rule.txt -i br0 Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "pcap.txt" Tagged Packet Limit: 256 Log directory = /var/log/snort +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 1 0 0 0 | nc 1 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter- config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter- rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter- config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter- rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter- config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter- global]---------------------------------- +-----------------------[event-filter- local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert-
log
Verifying Preprocessor Configurations! Reload thread starting... Reload thread started, thread 1026 (3666) Initializing Network Interface br0 Decoding Ethernet on interface br0 [ Port and Service Based Pattern Matching Memory ] --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.1 GRE (Build 114) inline '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 8.02 2010-03-19 Not Using PCAP_FRAMES ^C*** Caught Int-Signal Snort exiting Run time prior to being shutdown was 1195.286587 seconds =============================================================================== Snort ran for 0 Days 0 Hours 19 Minutes 55 Seconds Snort Analyzed 53706 Packets Per Minute Snort Analyzed 853 Packets Per Second Packet Wire Totals: Received: 1020422 Analyzed: 1020420 (100.000%) Dropped: 0 (0.000%) Outstanding: 2 (0.000%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 1020420 (100.000%) ETHdisc: 0 (0.000%) IPTables: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 6 (0.001%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 1019007 (99.862%) IP4disc: 732691 (71.803%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 283309 (27.764%) UDP: 2938 (0.288%) ICMP: 60 (0.006%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 1407 (0.138%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) IPv4/IPv4: 0 (0.000%) IPv4/IPv6: 0 (0.000%) IPv6/IPv4: 0 (0.000%) IPv6/IPv6: 0 (0.000%) GRE: 0 (0.000%) GRE ETH: 0 (0.000%) GRE VLAN: 0 (0.000%) GRE IPv4: 0 (0.000%) GRE IPv6: 0 (0.000%) GRE IP6 E: 0 (0.000%) GRE PPTP: 0 (0.000%) GRE ARP: 0 (0.000%) GRE IPX: 0 (0.000%) GRE LOOP: 0 (0.000%) MPLS: 0 (0.000%) OTHER: 9 (0.001%) DISCARD: 732691 (71.803%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 1020420 =============================================================================== Action Stats: ALERTS: 0 LOGGED: 310 PASSED: 0 =============================================================================== mbu5 gus # ls -lsh total 25M 0 drwxr-xr-x 4 gus root 66 Mar 7 14:54 cmlnet 7.2M -rw-r--r-- 1 gus root 7.2M Mar 18 17:38 dump.bin 12M -rw-r--r-- 1 gus root 12M Mar 18 17:44 dump2.bin 8.0K -rw-r--r-- 1 gus root 5.7K Mar 18 19:25 dump3.bin 4.4M -rw-r--r-- 1 gus root 4.4M Mar 19 19:16 dump4.bin 4.0K -rw-r--r-- 1 gus root 79 Mar 18 20:52 garg.txt 4.0K -rwxr-xr-x 1 gus users 243 Jul 17 2007 gushash 0 drwxr-xr-x 3 gus gus 20 Mar 19 23:41 include 4.0K -rw-r--r-- 1 gus gus 111 Mar 1 03:25 juaz.html 0 drwxr-xr-x 2 gus gus 6 Mar 22 01:42 mainto 0 drwxr-xr-x 4 gus root 58 Mar 1 06:59 myftp 4.0K -rw-r--r-- 1 gus root 86 Mar 19 21:33 rule.txt mbu5 gus # date Wed Mar 23 05:53:02 UTC 2011 mbu5 gus # ls -lsh /var/log/snort/ total 2.0M 0 -rw-r--r-- 1 root root 0 Mar 19 22:12 alert 920K -rw-r--r-- 1 root root 917K Mar 19 22:17 snort.log 288K -rw------- 1 root root 288K Mar 19 21:20 snort.log.1300569357 56K -rw------- 1 root root 55K Mar 19 21:33 snort.log.1300569930 40K -rw------- 1 root root 37K Mar 19 21:36 snort.log.1300570404 4.0K -rw------- 1 root root 3.9K Mar 19 21:37 snort.log.1300570617 8.0K -rw------- 1 root root 4.2K Mar 19 21:39 snort.log.1300570736 200K -rw------- 1 root root 198K Mar 19 21:54 snort.log.1300570783 16K -rw------- 1 root root 13K Mar 19 21:55 snort.log.1300571693 8.0K -rw------- 1 root root 6.3K Mar 19 21:57 snort.log.1300571763 144K -rw------- 1 root root 143K Mar 19 22:07 snort.log.1300571839 184K -rw------- 1 root root 184K Mar 19 22:15 snort.log.1300572746 104K -rw------- 1 root root 104K Mar 19 22:35 snort.log.1300573852 mbu5 gus # -- Gustavo Guillermo Perez http://www.compunauta.com http://www.compunauta.net http://anuncios.compunauta.net ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 19)
- Re: Showing dump of only matched paquets. ab1197590 () gmail com (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 22)
- Re: Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. Gustavo Guillermo Perez (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. ab1197590 () gmail com (Mar 22)
- Re: Showing dump of only matched paquets. Russ Combs (Mar 22)
- Re: Showing dump of only matched paquets. ab1197590 () gmail com (Mar 22)