Re: Snort-devel Digest, Vol 13, Issue 7

["Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>]

Hello,

Have you tried using -Aconsole:test or -Acsv ?

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of İzzettin Erdem via Snort-devel <snort-devel () 
lists snort org>
Reply-To: İzzettin Erdem <root.mch () gmail com>
Date: Sunday, June 10, 2018 at 6:10 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7

I am working on Snort 2.9.11, is there any way to learn which alert belongs to which packet ?

2018-06-10 19:00 GMT+03:00 <snort-devel-request () lists snort org<mailto:snort-devel-request () lists snort org>>:
Send Snort-devel mailing list submissions to
        snort-devel () lists snort org<mailto:snort-devel () lists snort org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org<mailto:snort-devel-request () lists snort org>

You can reach the person managing the list at
        snort-devel-owner () lists snort org<mailto:snort-devel-owner () lists snort org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Re: SNORT Alert Messages (Russ)


----------------------------------------------------------------------

Message: 1
Date: Sat, 9 Jun 2018 22:36:25 -0400
From: Russ <rucombs () cisco com<mailto:rucombs () cisco com>>
To: snort-devel () lists snort org<mailto:snort-devel () lists snort org>
Subject: Re: [Snort-devel] SNORT Alert Messages
Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 () cisco com<mailto:1631bb59-8caf-a0ce-55ab-0ea5b17448c8 () cisco 
com>>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"

For Snort 3:? snort -A csv will get you output like this by default:

05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620<http://10.1.2.3:48620>,
10.9.8.7:80<http://10.9.8.7:80>, 1:1:0, allow

The second field is the packet number.

On 6/9/18 9:05 PM, Y M via Snort-devel wrote:
> Besides reviewing the pcap, you can also do the following:
>
> In Snort 2 > -A console:test
> In Snort 3 > -A log_hext , this will get you closer but not what you
> are looking for. You can play with?--lua "log_hext = { raw = true }",
> but I didn't get the output you are looking for.
>
> YM
>
> ------------------------------------------------------------------------
> *From:* Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf 
> of
> Y M via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
> *Sent:* Sunday, June 10, 2018 3:21 AM
> *To:* snort-devel () lists snort org<mailto:snort-devel () lists snort org>
> *Subject:* Re: [Snort-devel] SNORT Alert Messages
> Comments inline.
>
> ------------------------------------------------------------------------
> > Hello again everyone,
>
> > I want to learn which alert belongs to which packet when SNORT prints
> alert messages. Is there any unique parameter that identifies packets?
>
> Such questions are better suited to the snort-user list. You will
> probably?catch wider audience there.
>
> > For example, when I give a pcap file which includes more than 50.000
> packets inside to SNORT, I want to see alert messages like that:
>
> > [some alert] - Packet ID: 125
> > [some alert] - Packet ID: 200
> > [some alert] - Packet ID: 1456
> > .
> > .
> > .
> > [some alert] - Packet ID: 23500
>
> Which Snort version are we talking about here?
>
> > If there not exist unique parameter for packets, how can I learn
> which alert belongs to which packet from alert messages ?
>
> By reviewing the packets via tcpdump/wireshark/tshark and correlating
> that to the detected rules? You can also chop your pcap to smaller
> chunks, which should make it easier.
>
> > Thanks.
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180609/9d6dba1f/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 13, Issue 7
******************************************

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!