Snort mailing list archives

Re: Reporting packet number

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 22 May 2014 20:11:32 +0000

Posting this to snort-users as well since this is not a bug.  Please drop snort-devel from any reply.

Additional comments below.

________________________________
From: Beenish Raza [beenish.raza () hotmail com]
Sent: Thursday, May 22, 2014 3:55 PM
To: Bhagya Bantwal (bbantwal); snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Reporting packet number

When I use _A , I get something like this:

08/15-17:27:48.482649  [**] [1:500020:0] Rule no.20 [**] [Priority: 0] {TCP} 244.85.5.101:443 -> 10.34.6.10:38835

Can you please tell me where is the packet number in this?

* You need to use -A console:test as Bhagya mentioned.  The packet number will be in the first column of the output.

________________________________
From: bbantwal () cisco com
To: beenish.raza () hotmail com; snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Reporting packet number
Date: Thu, 22 May 2014 00:21:18 +0000

You can use the option –A console:test (which outputs the packet number along with the alert to console) or use –A 
alert to log to a file.

Thanks!
From: Beenish Raza <beenish.raza () hotmail com<mailto:beenish.raza () hotmail com>>
Date: Wednesday, May 21, 2014 6:09 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] Reporting packet number

I am matching a set of regular expressions against a large pcap file. I want snort to report the original packet number 
(like 10th packet of the pcap file reported match) as well when it gives alerts. What command I need to use to do this?

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Reporting packet number Beenish Raza (May 21)
- Re: Reporting packet number Russ Combs (rucombs) (May 21)
- Re: Reporting packet number Bhagya Bantwal (bbantwal) (May 21)
  - Re: Reporting packet number Beenish Raza (May 22)
    - Re: Reporting packet number Russ Combs (rucombs) (May 22)